All Posts
CybersecurityCompliance

Texas Safe Harbor: How NIST CSF Shields You from Breach Lawsuits

· Infonaligy

Texas law gives businesses with a qualifying cybersecurity program an affirmative defense in breach lawsuits. Here's how to activate that protection.

Texas law already gives your business a legal shield against breach lawsuits, but only if you have a documented cybersecurity program in place before the breach happens. Under Texas Business and Commerce Code § 521.052, companies that create, maintain, and comply with a cybersecurity program based on a recognized framework can raise an affirmative defense when they get sued after a data breach. Most Texas SMBs have never heard of this law, which means most Texas SMBs are unprotected.

What the Safe Harbor Actually Says

The Texas cybersecurity safe harbor, originally enacted through HB 3834 in 2019, is straightforward in concept. If your business experiences a data breach and faces a civil lawsuit under the Texas Identity Theft Enforcement and Protection Act, you can assert an affirmative defense if you maintained a cybersecurity program that reasonably conforms to a recognized industry framework.

An affirmative defense is not immunity. It does not prevent someone from suing you. What it does is give you a strong, documented argument in court that your business took reasonable steps to protect personal data. The burden shifts: instead of scrambling to prove you did something right, you point to an established program and say, “We followed a recognized standard.”

Without this defense, you are left arguing that your ad-hoc security measures were “reasonable” with no recognized benchmark to back you up. Courts are far less sympathetic to that argument, especially when the plaintiff’s attorney can point out you had no formal program at all.

The law also specifies what disqualifies you. If your cybersecurity program existed only on paper and your business knowingly failed to comply with its own policies, the defense does not apply. This is not a checkbox exercise.

Which Frameworks Qualify

The statute lists several recognized frameworks that activate the safe harbor:

  • NIST Cybersecurity Framework (CSF) - the most flexible and widely applicable
  • NIST SP 800-171 - designed for protecting Controlled Unclassified Information, common in defense contracting
  • SOC 2 - focused on service organizations and cloud providers
  • ISO 27001 - international information security management standard
  • HIPAA Security Rule - required for healthcare and health data
  • PCI DSS - required for businesses that process payment cards
  • FedRAMP Security Assessment Framework - for cloud services used by federal agencies

For most Texas SMBs in the 50 to 500 employee range, NIST CSF is the best starting point. It was designed to be scalable and industry-agnostic, so it works for a 60-person manufacturing company just as well as a 400-person professional services firm. SOC 2 and ISO 27001 are solid but involve formal audits and certifications that add cost and complexity. HIPAA and PCI DSS only apply if you handle health data or payment cards. CMMC and NIST 800-171 matter primarily if you work in the defense supply chain.

NIST CSF organizes security into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. It does not prescribe specific technologies. Instead, it provides a structure for building and documenting your security program in a way that scales with your risk profile. That flexibility is exactly why it works well as a safe harbor foundation.

If your business also uses AI systems, Texas has created a parallel safe harbor under TRAIGA (the Texas Responsible AI Governance Act) for companies that follow the NIST AI Risk Management Framework. We covered the TRAIGA compliance timeline and enforcement details in a recent post. The pattern is the same: adopt a recognized framework, document your program, and you gain legal protection.

What “Maintaining a Program” Actually Requires

This is where most businesses fall short. The statute does not reward you for downloading a framework document and filing it away. You need a cybersecurity program that you actively maintain and that your organization actually follows. In practice, that means several things need to be in place.

Documented policies and procedures. Your organization needs written security policies that address access control, data handling, acceptable use, incident response, and vendor management, at minimum. These policies should map back to the framework you adopted. Generic templates pulled from the internet and never customized to your environment will not hold up in court.

A current risk assessment. You need a formal assessment of your security risks, updated regularly, that identifies your critical assets, threats, and vulnerabilities. NIST CSF makes this a foundational requirement. A cybersecurity risk assessment is typically the first step in building a qualifying program because it tells you where your gaps are.

An incident response plan. If a breach happens and you are relying on the safe harbor defense, the court will want to see that you had a plan for responding to exactly this kind of event. The plan should define roles, communication procedures, containment steps, and notification timelines.

Evidence of ongoing compliance. Regular security reviews, employee training records, vulnerability scan results, and policy update logs all serve as evidence that your program is alive and active. A program you built three years ago and never touched is not a program you “maintain.”

Reasonable conformity, not perfection. The law uses the phrase “reasonably conforms,” which is important. You do not need a perfect security posture. You need to demonstrate that your program was genuine, maintained, and aligned with the framework’s intent. Perfection is not the standard. Good faith effort and consistent practice are.

Why Most Texas SMBs Don’t Have This Protection

The protection exists. The frameworks are well-documented. The path is clear. And yet the vast majority of small and mid-size businesses in Texas are operating without a qualifying cybersecurity program.

The most common reason is simple: they do not know the law exists. The safe harbor passed in 2019 with relatively little fanfare. It was not headline news. Businesses across Dallas-Fort Worth and the rest of Texas continued operating with the same informal security practices they had before, unaware that the state had created a concrete incentive to formalize their programs.

The second reason is the “too small” assumption. Many business owners believe that frameworks like NIST CSF are only for large enterprises or government contractors. That is not true. NIST CSF was explicitly designed to scale down to small organizations. The framework does not require a 50-person security team or a seven-figure budget. It requires structure, documentation, and consistent follow-through.

The third and most common situation is what we see constantly: the business has security in place but nothing documented. They have firewalls, endpoint protection, MFA, and maybe even a managed security provider. But there is no written policy framework, no formal risk assessment on file, no incident response plan, and no evidence trail showing ongoing program maintenance. From a technology standpoint, they might be well-protected. From a legal standpoint, they have no safe harbor defense.

The gap between “having security tools” and “having a qualifying cybersecurity program” is mostly a documentation and process gap. Closing it does not require ripping out your infrastructure and starting over. It requires formalizing what you already do, filling in what is missing, and creating the paper trail that proves ongoing compliance.

What to Do Next

If your business operates in Texas and handles any personal data (and nearly every business does), the cybersecurity safe harbor should be part of your risk management strategy. The steps are concrete:

  1. Pick your framework. For most SMBs, NIST CSF is the right choice. If you are already subject to HIPAA or PCI DSS, those frameworks also qualify.
  2. Conduct a formal risk assessment. This is both a NIST CSF requirement and the foundation of your entire program. It identifies what you need to protect and where you are exposed.
  3. Document your policies. Written, specific, and mapped to the framework. Not generic templates.
  4. Build your incident response plan. Define who does what when something goes wrong, before something goes wrong.
  5. Create a compliance calendar. Schedule regular reviews, training, vulnerability scans, and policy updates. The “maintain” part of the law is not optional.
  6. Keep records. Every training session, every review meeting, every policy update, every scan result. If you ever need the safe harbor defense, this evidence is what makes it work.

This is not legal advice, and every business should consult with an attorney about how the safe harbor applies to their specific situation. But from a cybersecurity program standpoint, the technical and operational work to qualify is well within reach for any business willing to commit to it.

Need Help Building a Qualifying Cybersecurity Program?

We help Texas businesses implement NIST CSF-aligned security programs that activate the safe harbor defense.

Get a Free Assessment

Serving Businesses Across Texas & Oklahoma