Everything on this page, in a single reference document you can keep on file, share with your partners, or hand to your office manager. The same eight obligations, written for people who run firms — not for lawyers or auditors.
Most Texas legal and financial firms are subject to at least four of these, and many to all eight. Here’s what each one is and who it reaches — without the legalese.
Who it catches: Financial firms that aren’t banks — RIAs, CPAs, tax preparers, mortgage brokers, insurance agencies. If you handle customer financial information, this likely means you.
What it asks: Name a person responsible for your security program, keep a written Information Security Program, and put real safeguards behind it — encryption, multi-factor authentication (the second step beyond a password), access controls, vendor oversight, regular risk assessments, and an incident response plan.
Who it catches: Every paid tax preparer who holds a Preparer Tax Identification Number (PTIN).
What it asks: Keep a Written Information Security Plan describing how you protect taxpayer data — your safeguards, staff training, and incident response. At renewal, the IRS asks directly whether you maintain one, and answering untruthfully is a serious federal matter. This overlaps heavily with the FTC Safeguards Rule, so one well-built program can satisfy both.
Who it catches: SEC-registered investment advisers and broker-dealers — regardless of firm size.
What it asks: A written incident response program covering unauthorized access to customer information, customer notification within a set window after a breach of sensitive data, and current policies on data disposal, safeguards, and oversight of your service providers. The smaller-firm deadline has already passed — it now applies to covered firms of every size.
Who it catches: Any Texas business under 250 employees that handles personal identifying information. This is the one that works for you.
What it asks: Implement and document a written cybersecurity program aligned to a recognized framework. In return, the law shields your firm from punitive damages in breach litigation. It’s opt-in protection — you either qualified and can show it, or you didn’t.
Who it catches: Any business operating in Texas that holds sensitive personal information about Texas residents.
What it asks: Put reasonable procedures in place to protect that information, and notify affected residents — and the Texas Attorney General — within set windows if a breach occurs. It works hand-in-hand with SB 2610, and it’s actively enforced.
Who it catches: Any firm developing or using AI systems in Texas — which now includes most firms using AI tools in client work, analysis, or marketing.
What it asks: Don’t use AI to discriminate or cause certain unlawful harms, and govern how your firm uses it. A written AI Acceptable Use Policy is the practical starting point, and aligning to a recognized AI risk framework provides a safe harbor of its own.
Who it catches: Texas businesses that process personal data of Texas residents above certain volume thresholds. Small-business exceptions apply.
What it asks: Honor consumer rights to access, correct, delete, and port their data; let them opt out of targeted advertising, sale, and profiling; run data-protection assessments for higher-risk processing; and keep written contracts with your processors. Enforced by the Texas Attorney General.
Who it catches: All Texas-licensed attorneys and the firms they practice in.
What it asks: A duty of technological competence and a duty to safeguard client confidences against foreseeable unauthorized access — across email, cloud services, AI tools, and third-party vendors — plus supervisory responsibility over the IT providers you rely on. The State Bar’s ethics opinions have made these expectations explicit.
That’s the whole reason this page exists. Not to alarm you into a contract — to give you an honest map of what actually applies to a firm like yours, so you can make an informed decision about what to do next. Read the PDF. Talk it over with your partners. If you decide you want a second set of eyes on where your firm actually stands, that’s what the Compliance Readiness Review is for. And if you’d rather take the map and handle it yourself, that’s a perfectly good outcome too.
The Compliance Readiness Review is a working session built around the eight obligations on this page. We walk through where your firm sits against the ones that apply to you, and afterward — once we’ve worked through what we found — you get a written gap report in plain English: what’s in place, what’s missing, and what to address first. No sales pressure. The report is yours to keep, whether or not you ever hire Briggs IT.