Kendall Jones Neukomm (00:00)
Hello everyone and welcome to Whitley Penn Talks, where we give you valuable insights to help you make confident informed decisions and move your business forward. My name is Kendall Jones Neukomm and today we are talking U.S. Senate Bill 2610, what it means for small and mid-sized businesses and what we can expect moving forward.

Now, many of you are like, what is Senate Bill 2610, Kendall? And we’re about to dive in. So we’ve got Jesus Vega and John Williamson here today, both ⁓ members of the team at Whitley Penn on the risk advisory side, cybersecurity side as well. And we’re happy to have them here. So how are you both doing today?

John Williamson (00:46)
Doing great, Kendall.

Jesus Vega (00:47)
Fantastic, Kendall, thank you.

Kendall Jones Neukomm (00:47)
Awesome, awesome. Well, before we do dive in to the details of Texas Senate Bill 2610, we will do some quick intros. So John, will you start us off? Just tell us a little bit about your story and how long you’ve been at the firm.

John Williamson (01:02)
Yeah, thanks, Kendall. So pleasure being here. So background on me. I am a Dallas native, so born and raised in Dallas, Texas. My story is in high school, I was a huge gigantic band nerd. ⁓ I was a trumpet player. I fancied myself ⁓ really kind of a, you know, an up and coming musician. I wanted to be in an orchestra as a full time job.

So I decided that it would be a brilliant idea to get not one but two degrees in music. And then later as I got older when I found out that I couldn’t really make a living doing so I found out it was a pretty bad idea. So I went back to school and I got my master’s in accounting from UT Dallas and right out of that experience I was hired by the firm at Whitley Penn. So that was over 14 years ago and I can just say it’s been a fantastic experience. Love the firm, love the culture.

And I started as an associate right out of college and our risk advisory practice. Fast forward 14 years from now, I’m the partner in charge of the practice. And we’ve grown exponentially. And the way I like to phrase it to our clients that if it has to do with internal controls, compliance, technology, that’s our group. And so as a part of that, we have our cyber security practice and I’m going to pass things off to Jesus here in just a little bit. But Jesus has just really been a fantastic hire for our firm and for us. He brings a really strong technical background on security side. And so really pleased with the strategic decision to hire him to introduce that level of sophistication for the firm. And so now that I’ve set the bar really high Jesus, I’m to pass things off to you for your intro.

Jesus Vega (02:53)
Thank you, John, for those kind words. I’ve been with Willy Penn for seven years, but my experience in IT has been going back to almost 18 years total. I’m born and raised in El Paso, Texas. I graduated from University of Texas at El Paso in computer information systems and a second degree in management. Once I graduated, I started as a help desk person and continued growing my career into system administration, a little bit of network. Then I went into the compliance field where I was doing risk assessment as a federal contractor for the government. Got married, life happened, moved to the Dallas/Fort Worth area where I was lucky enough to find a as a system security analyst managing the securing compliance tools. And then continued to develop my career into the compliance and governance field.

About seven years ago, I decided to join the dark side and became an IT auditor. It’s when I came to Whitley Penn and I really enjoyed the part of the audit, but also helping companies build their governance and compliance programs as we go forward. So I’m really thankful to be here and thank you.

Kendall Jones Neukomm (04:03)
Awesome. Thank you both. I have two quick questions. ⁓ So John, how many instruments can you currently play?

John Williamson (04:11)
Well, how many instruments can I play well right now? The answer is zero. ⁓ I haven’t played ⁓ trumpet in several years. It’s one of those instruments that requires a fair amount of physical conditioning. ⁓ And I guess for those of us that can see the video right now, you can see that I have pictures of multiple kids behind me. I have five kids at home. so between this job and being a dad, I just haven’t been able to keep it up. But I dabble in piano, guitar, ukulele, and I guess trumpet even though I haven’t played in years. So that’s all I’ve got.

Kendall Jones Neukomm (04:49)
I love it. I have a feeling that dabbling is probably still pretty good, but would love to hear that sometime. And then, Jesus, you have to tell us a little bit more about the helmets in the background. So Star Wars fan, can tell. Hence to the dark side.

Jesus Vega (05:04)
Yes, I’m a bit of a Star Wars fan. ⁓ My wife says that she has three boys, although I just account for two. I don’t know what she means with that. But I’ve been a Star Wars fan since ⁓ before it was cool.

Kendall Jones Neukomm (05:19)
Love it. Love it. Well, thank you both for those intros. It’s helpful that people know who we’re talking to and a little bit of your personality, just the same. as many of you listeners out there can tell at this point today, we will be talking about risk and it’s specifically cybersecurity and data privacy as it affects or is affected by the Texas Senate Bill 2610. So when we mentioned Senate Bill 2610, we’re specifically talking. ⁓

on cybersecurity and risk measures that companies will need to take as a result of that legislation. Before we get into the content there, we’ve got some great questions lined up for John and Jesus, but I did want to share with the audience that we have a webinar coming up on WhitleyPenn.com. So I’ll share that again at the end of this podcast, but there is a webinar coming up specifically focused on data breaches, cybersecurity, and industry dashboards. That’ll be on October 20th, and it’s virtual, so we’d love for you guys to tune in. If you wanna know more, you can visit witleypenn.com slash events to sign up. Now for our actual conversation today, let’s talk about Senate Bill 2610. So what does it mean and what does Safe Harbor mean in this context?

John Williamson (06:37)
Yeah, I’ll go ahead and start and ask Jesus to elaborate at any point. I’d like to start though with the disclaimer that neither Jesus nor I are attorneys. We are not offering legal advice. In fact, if you did hire us to be your counsel, I think it would probably be a poor decision. So I want to start with that. But we’re going to do our best to navigate through what this bill is, what it means and how it affects small and midsize businesses within the state of Texas.

So the history of the bill, it was initially introduced and filed in March of 2025 by state Senator Cesar Blanco from District 29 in Texas. And it was signed into law by Governor Abbott on June 20th, 2025. So you take that and then now we move forward to the effective date. So the effective date of the bill, when it will become actual law, will be September 1st, 2025, which is right around the corner, and rumor has it is actually going to be the release date of this podcast, I think. ⁓ And so what is it? ⁓ So Senate Bill 2610 or SB 2610 for short was introduced to address the growing threat of cybersecurity attacks on small and mid-sized businesses within the state of Texas.

So these businesses often lack the resources to implement sophisticated cybersecurity defenses which makes them vulnerable to breaches and can result in financial loss, reputational damage, and legal exposure. So the idea is that it introduces safe harbor that in the event a breach occurred or some kind of security incident occurred, there are certain limitations on the kinds of damages that a party can seek in civil court when filing a suit if they are indeed harmed as a result of a reach or an incident that takes place at a small to mid-sized business.

Jesus Vega (08:38)
The legislation is saying to support local businesses and Texas businesses for that matter as if you’re one of those small businesses we’re referring to, you know that cybersecurity is complex and is part of your business and there’s no way around that you have to face it head on. I think what the legislation has done here is to protect businesses who are trying to safeguard their environment against punative damages this in case they have that breach.

Kendall Jones Neukomm (09:09)
And why would the two of you say that this bill is significant ⁓ outside of just making sure that these companies are protected?

John Williamson (09:20)
Yeah, well think it acts as an incentive for small to mid-sized businesses to implement sound cybersecurity risk management practices. I think conceptually with the bill, historically, governments have grappled with cybersecurity legislation and enforcement. And so typically, the first instinct of any state or federal government is to levy heavy penalties or fines for organizations that may have made a mistake or messed up. ⁓ And if a security incident occurs, many of these governments require these businesses to disclose that to the government, and then they in turn will then find them. ⁓ And so ⁓ it’s kind of the concept of incentivizing behavior through carrying a big stick, ⁓ through punishment.

Well, what the state of Texas has done is kind of turn that concept on its head and it’s actually offered protection for businesses that have taken the initiative to implement security controls and take it seriously, which I personally, I think is a brilliant idea. It’s one of the reasons I like living in the state of Texas ⁓ is instead of ⁓ kind of this overreaching concept of having heavy penalties, it actually allows for protections for small to mid-sized businesses that are doing their job and making good faith effort to protect consumer data.  And as a result, the impact of any penalty that can take place through the courts.

Kendall Jones Neukomm (10:49)
Yeah, definitely. Elaborate a little bit more. I’m kind of going off script here, but what are the ways in which the law will then measure businesses who are attempting? How do you measure that good faith attempt?

John Williamson (11:08)
Yeah, and so again, maybe just if we take the broad concept of the framework, provide a little more detail, and then we can break it down into the different tiers and the different requirements. And before we get there, one important point I’d like to bring up, we haven’t really dived into this too much, but the protection is specifically against exemplary or punitive damages in a civil lawsuit. So that does not exempt small to mid-sized businesses from having to pay out actual damages that are by the courts. But it does provide protections against paying out punitive or exemplary damages ⁓ as a result of those lawsuits. with that in mind, ⁓ some important things to know. ⁓ It applies to businesses that have fewer than 250 employees and that own or license computerized data containing sensitive personal information.

And this is really in most businesses because sensitive personal information. Think name, address, phone number, social security number, payment card data, for any healthcare organizations, protected health information, which is defined by IPA, a federal regulation. ⁓ And so the requirements then, you meet those requirements, ⁓ then how do you prove that you’ve complied with this and that you’ve made a good faith effort? You implement and maintain a cybersecurity program that conforms to an industry recognized framework.

So I’ll pause there, that’s a lot of information. But if you’d like, Kendall, we can break it down into the different tiers and the compliance requirements, because I know we’re going to get there eventually, but we can do that now if you think this is a good time.

Kendall Jones Neukomm (12:50)
Let’s do it. I think that we’re right on track with where we need to be.

John Williamson (12:53)
Okay, perfect. ⁓ So I’ll do this one. And then as we get into some of the actions that you can take, Jesus is really the expert on implementation for that. So we’ll probably rely on him to take a lot of that information. So how do the compliance requirements differ based on the company size? Well, if your business has two, a fewer than 20 employees, you have to apply basic safeguards like password policies, employee training.

There’s no need necessarily for a full framework compliance. There’s kind of a minimum threshold that you have to implement. And honestly, they’re most things that businesses are doing today. ⁓ So if you’re outsourcing IT to a managed service provider, they’re doing their job. Most of these things you would probably have in place, but it’s just having good cyber hygiene and good practices in place. Tier two is 20 to 99 employees. And this is that moderate, middle level ⁓ of compliance. And so the moderate requirements are implementing CIS controls, Implementation Group 1.

What is that? Okay, CIS stands for Center for Internet Security, and it’s simply a body made up of professionals that developed a very, ⁓ it’s a standard that’s easily understood and comprehensible by most people because it boils down all these complex security requirements and it says, let’s just boil it down to these basic controls. So the CIS Top 18 is an industry-wide recognized framework of 18 good controls that can apply to really just about everybody. And it simplifies cybersecurity in a way that is easily understood and it’s easier to implement and maintain. So what they’ve recommended is the CIS controls.

IG1 implementation group one, which is a standard set of security controls that we can get into later. And that’s a little more structured and formalized. And the final tier, tier three, is 100 to 249 employees. And this requires full compliance with a recognized framework. What are those? Well, there’s a number of possibilities. ⁓ There’s the NIST cybersecurity framework. This stands for National Institute of Standards and Technology. It’s a federal framework developed for federal agencies ⁓ that is actually industry agnostic and widely accepted in the private sector. ⁓ There’s ISO 27001, which is an international standard for information security management systems.

You can use PCI if you’re processing payment card data or the HIPAA security rule if you’re a healthcare organization or processing protected health information. The bottom line is there’s a number of frameworks out there. Many of them are good. And as Jesus and I tell our clients, most of them really have this, the same conceptually. There’s some different flavors and unique details about each one, but broadly, if you think about the Venn diagram of all these frameworks, there’s a really big fat middle because a lot of these concepts are very similar across the frameworks.

So I’ll pause there. That was a very long-winded answer to a short question, Kendall. But does that capture everything that you think you needed to know?

Kendall Jones Neukomm (16:14)
Yeah, definitely, definitely. Jesus, do you have anything to add there?

Jesus Vega (16:19)
The only thing I would say is that you forgot to add SOC 2 as part of the frameworks we can use, but I’ll bring it up when we go into the technical controls now that can be implemented.

John Williamson (16:29)
No, that’s fair. Jesus and I are deeply involved in our SOC 2 practice, which is a very high-growth practice for our group. I probably omitted it unintentionally, but it is something that is widely recognized by the ICPA, CPAs in general. And so it’s a very good reporting framework that covers sound security principles.

Kendall Jones Neukomm (16:52)
So John, thank you so much for describing what the frameworks look like and how businesses can make sure that they’re looking at compliance requirements depending on their size. So when we’re thinking about ongoing efforts to maintain their systems and their controls that they have in place, the legislation mentions that it needs to have been implemented and then maintained. How do we define that and how do businesses make sure that they’re remaining in compliance moving forward?

Jesus Vega (17:25)
Thank you, Kendall. That’s a great question. So I can start by saying that based on the tiers, ⁓ let’s start with the small companies first, the under 20 employees. For implementing and maintaining these controls, we can do very basic components. Now as a new business, it has under 20 people. You obviously have several folks wearing multiple hats, but there’s several items that need to be considered the moment you start your own business. The data that you have, you obviously know what that is, but how are we gonna protect it? we have any policies in place, any guidance that is gonna be your documentation of here’s what we’re doing, here’s how we’re securing it. ⁓ Inventory of your hardware. Know that the assets that are gaining access to your information, even if you have a bring your own device policy, make it a policy where you say, that’s fine, you can bring your equipment, but you need to have antivirus, you need to have for this encryption, which is built into all the computers nowadays, either Microsoft or Apple’s computers. Know your software that you have in your inventory, and then do some type of risk assessment on yourself to see what are the areas you may be concerned. That would be your basic controls for a small entity. For a mid-size entity, have, as John mentioned earlier, the implementation group one from CIS controls.

That’s basically building on what you just described, but it’s a little more of a segregation of duties where you know who has administrative rights. You may have some users who have overlapping roles based on the size, so that’s okay. But you need to understand who holds those rights and how are we going to validate that they’re being used appropriately, have some sort of email protection, malware protection, antivirus, and all these tools that protect the technical components. Training is really critical, ⁓ having security awareness training across the board. And then the one thing that is the silver bullet against hackers would be a robust backup strategy.

Your computers may get compromised, you may have computer failures, your computer, you drop it and it breaks, something on those lines, but having a robust backup will help you recover. And then of course, the large tier on the SMB size, the 100 to 250 employees, Whitley Pan has a lot of clients who rely on the SOC 2 reporting for software as a service providers, those companies that offer services to other ⁓ industries out there. And this is a really well received report that is also complies with the SP2610.

It’s not too difficult to implement because a lot of the focus is on security. Things that most businesses that are under 100 and above employee head counts have those processes in place. Change management, training, onboarding, deboarding. So it’s not too much of a hurdle to overpass.

John Williamson (20:35)
Yeah, Kendall, if I may, the only thing I might add to that, which I thought was a very thorough detailed explanation of the kinds of controls that you can implement that might provide you safe harbor under this legislation. The only thing I might add is, you know, the legislation specifically mentions implemented and maintained. And in my auditor mind, that means that it’s implemented and it’s suitably designed. And the maintain part is that those controls are operating effectively over time.

And so the concept is that you can’t just implement these practices once and then not have some kind of monitoring mechanism to make sure that they’re not operating over a period of time. If you implemented sound controls on day one and then 360 days later, there’s a breach because you haven’t been doing your job by maintaining those, then conceptually you would no longer be offered safe harbor under the law.

Kendall Jones Neukomm (21:16)
Right.

Yeah, that makes sense. And so when we’re thinking about potential cost savings, so for those that are listening to this episode right now, maybe business owners, maybe in different roles in some of these businesses and organizations in Texas that would apply and would be seeking safe harbor in the event that something did happen, ⁓ what’s the potential cost saving or reputational benefit that you can foresee for some of these folks that are considering this.

John Williamson (22:00)
Yeah, great question. And before I get to that specific answer, just one little caveat I want to throw in there, because we are talking about safe harbor against exemplary or punitive damages. ⁓ What does safe harbor not mean? So as I mentioned before, it does not cover you against actual damages as a result of a suit.

It does not cover you or protect you against regulatory penalties. It does not limit the state attorney general whatsoever. So the attorney generals can still act and levy fines and penalties if the AG deems it necessary. And it also does not offer protection against class action lawsuits. So those are three things I wanted to highlight. However, there still is a lot of benefit here. So what does it mean to be protected against exemplary or punitive damages?

Well, there’s kind of a rule of thumb, and I don’t believe it’s really written anywhere. I don’t know. Again, I’m not an attorney. ⁓ We’ve had the opportunity to speak to several attorneys about this law and what it will mean. And from what we gather, there’s a general rule of thumb that exemplary damages can be anywhere between one to three times actual damages. So if a suit is filed against a business and a judge or a jury wants to make a point, they can award exemplary damages on top of actual damages, depending on how egregious the act was. Now, historically, there have been cases where it’s been nine times ⁓ actual damages. I believe in doing research for this podcast, the Supreme Court has stated that punitive damage is exceeding 10 times actual damages, or generally constitutionally suspect.

But if you think about cost savings, if there’s a massive breach that causes significant harm to consumers, to customers, to employees, ⁓ then you could go as many as three times all the way up to nine if it’s particularly egregious. There is significant benefit in taking action now and implementing these security practices to provide your business safe harbor in the event something does go wrong.

Jesus Vega (24:05)
Yeah, and I’ll add, that it is, and Kendall, I’ll add that it’s just not the quantitative three times damages or something. It’s difficult to quantify, but having some of these frameworks implemented is also a great tool for the business leaders to broadcast that they’re small businesses taking security seriously. Countless of our clients need to have a SOC report or a risk assessment because it’s part of their requirements for new contracts with new clients. So that is difficult to quantify what the savings and the benefits are those, having these frameworks in place just to show the maturity level, regardless of size, they’ll give you that extra leg up against your competitors.

Kendall Jones Neukomm (24:38)
Mm-hmm.

Yeah, definitely. Is there, have you worked with any clients that have seen in order for them to receive investment or capital of any kind, they need to have some of these frameworks in place just the same?

John Williamson (25:06)
Yeah, and I think so. It depends on the priorities of the investors. mean, something that has been expanding as a part of our practice, particularly recently, has been pre-transaction that we’ve been doing several cybersecurity and IT due diligence projects, which has influenced the purchase price of a potential transaction, depending on the buyer’s concern about it or their appetite for taking on risk, so it’s wide ranging and very impactful.

Kendall Jones Neukomm (25:38)
⁓ Yeah, for sure. Thank you both. ⁓ So for a business leader today that could be listening to this episode right now when the legislation is effective, what would be step one? So say you’re listening to this, you’re thinking, I don’t feel like I have any of these frameworks in place just yet. My business has grown a lot over the last few years. I mean, what would you say would be a good first step for some of the folks listening in today?

John Williamson (26:07)
Yeah, so the good news is that there’s a lot of publicly available information that can be used. ⁓ So if you want to try it on your own, you certainly can. ⁓ However, you know, it requires a certain level of technical experience and understanding compliance and cybersecurity concepts. ⁓ So it’s certainly an option. ⁓ I might recommend ⁓ engaging with someone who can help you understand what the requirements are and provide advice and recommendations on how to comply with the requirements depending on the size and maturity of your business. ⁓ Now you don’t have to contract it out, you can do it yourself certainly, ⁓ but really I think step one, once you get past that, is performing a risk assessment and that’s where you take a standard established framework, you try to identify where your vulnerabilities are, where are the big gaps that could cause some kind of exposure in the future.

Kendall Jones Neukomm (26:54)
Mm-hmm.

John Williamson (27:04)
⁓ And then assessing those risks, evaluating what your risk response, your controls are, and say, well, where do we stand today? What are we doing to address those risks? And as you walk through those questions, it gives you a really good roadmap to understand what needs to be implemented to provide protection for your organization.

Kendall Jones Neukomm (27:13)
Mm-hmm.

Awesome, thank you. Jesus, anything to add there from the cyber side?

Jesus Vega (27:29)
Yeah, I’ll definitely add if you perform a risk assessment yourself or do you have a service provider, the best thing to do is to get one of those frameworks that are publicly available as John mentioned and be honest with where you’re at, not where you wanna be because the only ⁓ comment that I have of self assessing is sometimes we are biased amongst ourselves. Like we’re shooting for this goal. So we’re putting that into our current state, but you can also have somebody help you who’s coming as a independent third party. There’s no bias in that. Just to give you an assessment of where you’re at and where your concerns can be and how to start addressing them.

Kendall Jones Neukomm (28:12)
Yeah, definitely.

John Williamson (28:12)
Yeah, and sorry, Kendall, I know we’re probably running long, ⁓ but I just, you know, can’t stop talking. ⁓ So in one question, as Jesus and I were thinking about the impact of this legislation, one question that both he and I were grappling with was, well, I’m to do a risk assessment and I’ll self assess what happens if I identify a lot of gaps that demonstrate I’m not in compliance with a particular framework.

Does that introduce liability should something occur and a suit be brought against me? Which I think is a very reasonable question. So Jesus and I had the chance to consult with some attorneys that we partner with. And I think the general consensus is that as long as you’re making a good faith effort, and I think you’re mostly there, you don’t have to be 100 % compliant 24 seven, 365 days a year.

The important thing is that you’re being thoughtful about it, you’re managing it, you’re documenting it, and that you’re making a good faith effort to comply with these industry recognized frameworks. And then in the event a suit would be brought up, our attorney friends felt fairly comfortable that as long as their clients were doing what they should be doing and they could demonstrate it, that they would still be allowed safe harbor under the law.

Of course, there’s no case law yet because it hasn’t gone into effect. So it’s kind of speculation. But anyway, I figured that would be an important thing. They don’t let that prevent you from doing a self-assessment or a risk assessment. It’s still a very good step towards this journey of achieving safe harbor under Texas law.

Kendall Jones Neukomm (29:32)
Right.

Yeah, definitely great perspective there. Anything else before we do wrap up this episode? This has been a great conversation and we’re thankful to hear from both of you.

John Williamson (29:58)
I might just add, you know, again, it’s a really great incentive for small to mid-sized businesses. If you just take a fresh look at what you’re doing right now, challenge yourselves, and then see if you can implement some of these things. Because again, there’s benefit down the road. Should ⁓ some kind of incident or breach occur, ⁓ I mean, it’s great that the state of Texas is offering some kind of protection for small to mid-sized businesses. So I think it would be wise to just ask the question and start walking down this road to figure out what cybersecurity compliance and having an improved security posture looks like. And of course, here at Whitley Penn, we’re happy to help. Jesus and I do this for full time living. But regardless of whether you hire us or not, or hire somebody else, I think it’s a good thing for businesses to do. So I’d highly encourage business owners to consider it.

Kendall Jones Neukomm (30:41)
Mm-hmm.

Yeah, awesome. And if they do have questions and want to reach out to either of you, what’s the best way to get in contact?

John Williamson (30:59)
Any and always, Kendall, I’m not active on social media, so probably not that one. ⁓ email, ⁓ phone number, we’re happy to post this with the episode. Of course, it’s available on the website. ⁓ Whether it’s work line, mobile, I’m available. And then, Jesus, I’m sure you’d probably say the same, correct?

Jesus Vega (31:20)
Yes, our contact information is on the website. Shoot us a message. We’ll get back to you. I will talk your ear off when it comes to cybersecurity.

Kendall Jones Neukomm (31:28)
And that’s okay. The more you know, that’s the more protected you are in a lot of ways. So for those listening, thank you so much for tuning in today. If you enjoyed today’s episode, be sure to subscribe on YouTube, Spotify, Apple, or listen right on our website at WhitleyPenn.com slash podcasts. If you’re interested in receiving our episodes straight to your inbox, along with other cybersecurity insights, check the link in the description of this episode to sign up for our email list.

Thank you again, Jesus and John, we really appreciated your time and I hope everyone has a wonderful rest of the day.

John Williamson (32:02)
Thank you, Kendall.

Jesus Vega (32:03)
Thank you.