Texas has passed a new law effective September 1, 2025, providing small and mid-sized businesses (SMBs) with fewer than 250 employees a safe harbor against exemplary (punitive) damages in the event of a data breach if they implement and maintain a recognized cybersecurity program, such as HITRUST certification.
If you have 100-249 employees and your business maintains a cybersecurity program that aligns with an industry-recognized framework, you can significantly reduce your legal risk if a breach occurs, even if sensitive data is compromised. The law encourages proactive investment in cybersecurity while providing legal protection and peace of mind.
The Texas safe harbor law recognizes frameworks such as the NIST Cybersecurity Framework and the HITRUST CSF. These frameworks help businesses implement administrative, technical, and physical safeguards to protect sensitive information.
HITRUST certification aligns with the HITRUST CSF, a comprehensive framework that integrates and harmonizes standards such as NIST, HIPAA, and ISO into a single, prescriptive, and scalable approach to security and compliance.
HITRUST certification
Regardless of your industry, adopting HITRUST helps you reduce legal risk, improve your cybersecurity, maintain compliance, and demonstrate your commitment to protecting your data and your business. HITRUST offers multiple certification types (e1, i1, r2), allowing you to start with foundational, validated security practices and scale your assurance program as your business grows.
If you would like to learn how HITRUST can help your organization align with the Texas safe harbor law and strengthen your cybersecurity program, please contact us. We can help you understand which certification type fits your current security posture and business needs.