832-304-1850

The Texas Compliance Landscape for Legal and Financial Firms

Between 2023 and 2026, the rules changed more than they had in the previous twenty years. Federal regulators added new obligations, Texas passed its first safe-harbor law and its first AI-governance statute, and the state built a dedicated enforcement team. This is the plain-English map of the eight obligations most likely to reach a Texas firm with 10 to 250 employees — what each one is, who it catches, and what it asks of you.

Get the full landscape as a plain-English PDF

Everything on this page, in a single reference document you can keep on file, share with your partners, or hand to your office manager. The same eight obligations, written for people who run firms — not for lawyers or auditors.

The eight obligations, in plain English

Most Texas legal and financial firms are subject to at least four of these, and many to all eight. Here’s what each one is and who it reaches — without the legalese.

FTC Safeguards Rule (Gramm-Leach-Bliley Act)

Who it catches: Financial firms that aren’t banks — RIAs, CPAs, tax preparers, mortgage brokers, insurance agencies. If you handle customer financial information, this likely means you.

What it asks: Name a person responsible for your security program, keep a written Information Security Program, and put real safeguards behind it — encryption, multi-factor authentication (the second step beyond a password), access controls, vendor oversight, regular risk assessments, and an incident response plan.

IRS Publication 4557 & the PTIN Written Security Plan

Who it catches: Every paid tax preparer who holds a Preparer Tax Identification Number (PTIN).

What it asks: Keep a Written Information Security Plan describing how you protect taxpayer data — your safeguards, staff training, and incident response. At renewal, the IRS asks directly whether you maintain one, and answering untruthfully is a serious federal matter. This overlaps heavily with the FTC Safeguards Rule, so one well-built program can satisfy both.

SEC Regulation S-P

Who it catches: SEC-registered investment advisers and broker-dealers — regardless of firm size.

What it asks: A written incident response program covering unauthorized access to customer information, customer notification within a set window after a breach of sensitive data, and current policies on data disposal, safeguards, and oversight of your service providers. The smaller-firm deadline has already passed — it now applies to covered firms of every size.

Texas Senate Bill 2610 (SB 2610) — Cybersecurity Safe Harbor

Who it catches: Any Texas business under 250 employees that handles personal identifying information. This is the one that works for you.

What it asks: Implement and document a written cybersecurity program aligned to a recognized framework. In return, the law shields your firm from punitive damages in breach litigation. It’s opt-in protection — you either qualified and can show it, or you didn’t.

Texas Identity Theft Enforcement & Protection Act (TITEPA)

Who it catches: Any business operating in Texas that holds sensitive personal information about Texas residents.

What it asks: Put reasonable procedures in place to protect that information, and notify affected residents — and the Texas Attorney General — within set windows if a breach occurs. It works hand-in-hand with SB 2610, and it’s actively enforced.

Texas Responsible AI Governance Act (TRAIGA)

Who it catches: Any firm developing or using AI systems in Texas — which now includes most firms using AI tools in client work, analysis, or marketing.

What it asks: Don’t use AI to discriminate or cause certain unlawful harms, and govern how your firm uses it. A written AI Acceptable Use Policy is the practical starting point, and aligning to a recognized AI risk framework provides a safe harbor of its own.

Texas Data Privacy and Security Act (TDPSA)

Who it catches: Texas businesses that process personal data of Texas residents above certain volume thresholds. Small-business exceptions apply.

What it asks: Honor consumer rights to access, correct, delete, and port their data; let them opt out of targeted advertising, sale, and profiling; run data-protection assessments for higher-risk processing; and keep written contracts with your processors. Enforced by the Texas Attorney General.

State Bar of Texas — Ethics & Technology Competence

Who it catches: All Texas-licensed attorneys and the firms they practice in.

What it asks: A duty of technological competence and a duty to safeguard client confidences against foreseeable unauthorized access — across email, cloud services, AI tools, and third-party vendors — plus supervisory responsibility over the IT providers you rely on. The State Bar’s ethics opinions have made these expectations explicit.

Here’s the practical picture for a Texas firm with 10 to 50 people. If you hold legal or financial client data, you’re almost certainly subject to at least four of the eight obligations above — possibly all eight. Most firms don’t know it. The two most commonly missed are the FTC Safeguards Rule and the Texas Identity Theft Enforcement & Protection Act, and most firms also have no idea that the SB 2610 safe harbor is even available to them. None of this is expensive to put right while things are quiet. It gets expensive after a breach.

That’s the whole reason this page exists. Not to alarm you into a contract — to give you an honest map of what actually applies to a firm like yours, so you can make an informed decision about what to do next. Read the PDF. Talk it over with your partners. If you decide you want a second set of eyes on where your firm actually stands, that’s what the Compliance Readiness Review is for. And if you’d rather take the map and handle it yourself, that’s a perfectly good outcome too.

See where your firm actually stands

The Compliance Readiness Review is a working session built around the eight obligations on this page. We walk through where your firm sits against the ones that apply to you, and afterward — once we’ve worked through what we found — you get a written gap report in plain English: what’s in place, what’s missing, and what to address first. No sales pressure. The report is yours to keep, whether or not you ever hire Briggs IT.