AUSTIN (KXAN) — A new cybersecurity law designed to encourage small businesses to strengthen their digital defenses is set to take effect on Monday.

Senate Bill 2610, authored by Texas Sen. César Blanco, D-El Paso, limits civil liability for small businesses that experience a data breach—provided they have implemented a cybersecurity program that meets the standards outlined in the bill.

“It’s a way to encourage these small mom and pop businesses to add these additional protections for themselves and also for their customers,” Blanco said. “They could still be sued, but a judge or a jury can’t pile on extra penalties such as punitive damages.”

According to Cornell Law School, punitive damages in civil lawsuits are considered a form of punishment, typically awarded when the defendant’s conduct is especially harmful. These damages are granted in addition to actual (compensatory) damages in certain cases.

“Unlike large corporations—when we’re having these conversations with small businesses—they tell us that they don’t have big IT teams, they don’t have the deep pockets for the large corporate cybersecurity measures that they take,” Blanco said. “What this bill does is it gives them both a clear roadmap for protecting data and for legal protection—if they take the right steps—to help level the playing field.

One way small businesses are building effective cybersecurity programs is through support from the Texas Cybersecurity Clinic at the University of Texas. Launched in 2023, the clinic provides “customized cybersecurity services to Texas-based small businesses, nonprofits, and public sector organizations.” The clinic is also in partnership with cybersecurity company Huntress.

“Digital security is becoming increasingly important and relevant as we’re seeing small businesses and other organizations victimized by what we call malicious cyber actors on a daily basis,” said Francesca Lockhart, the program lead at the Texas Cybersecurity Clinic. “It can cause reputational damage. It can cause financial loss to your business.”

One local business the clinic partnered with is Standout Authority, a branding and marketing company. Rachel B. Lee, the co-owner Standout Authority, said that they experienced a breach that heavily impacted them prior to working with the clinic.

“We had $15,000 stolen from us,” Lee said. “It looks like through a phishing email after investigation, the banking number had changed, and so instead of our employee being paid, that money was being completely stolen.”

Since the breach, Lee says her company has established a cybersecurity program with the clinic’s assistance by educating employees and implementing security measures. Lee also emphasized for other small businesses to follow suit, so they don’t find themselves vulnerable to breaches.

“Unfortunately, what a [breach] happens—until it happens to you—it’s like number 25 on the list of things to do because we’re wearing so many hats,” Lee said. “I think education is just absolutely so important. The small things go a very long way for small businesses.”

With the cybersecurity law taking effect on Monday, Lee says it’s a step in the right direction to make sure small businesses can stay functional during a breach.

“I think having some legislation and support to give a little bit of grace as companies, especially the small ones, are learning and systematically changing how they do business. Is just the right thing to do,” Lee said.