ELI5: What is Due Diligence vs. Due Care?
Due diligence is looking both ways before you cross the street. Due care is actually stopping and waiting for cars to pass. One is knowing about the danger; the other is doing something about it.
Definition
Due diligence and due care are complementary legal and professional concepts in security. Due diligence is the process of actively investigating, understanding, and assessing risks before making decisions—knowing what risks exist. Due care is the responsible action taken based on that knowledge—implementing appropriate safeguards. Together, they define what constitutes reasonable and defensible security practice.
Key Details
- Due diligence: “What risks do we face?” — researching threats, conducting risk assessments, evaluating vendor security, reading security advisories.
- Due care: “What did we do about it?” — implementing controls, patching systems, training staff, responding to known threats.
- Negligence is the failure to exercise due care—can result in legal liability after a breach.
- Both concepts are central to compliance frameworks (PCI DSS, HIPAA) and legal defensibility in the event of an incident.
- Security professionals must demonstrate both: knowing the risk (diligence) and acting on it (care).
Connections
- Parent: security-concepts — a fundamental governance and legal concept
- See also: separation-of-duties