Welcome to our Security Governance Principles module on Due Diligence and Due Care. When we talk about due care, we are talking about whether or not a person is careful. This is generally evaluated by the amount of caution that a similar person would exercise under similar circumstances. Basically, it just means taking the same steps that any reasonable person would do, and acting responsibly as a management employee to prevent breaches from occurring. Due diligence is the duty of our company's directors and officers to act prudently, both professionally and legally. It is important to make sure that we are continually evaluating our facts and then taking actions based on our findings and also making sure that we evaluate our risks and determine the best practices to mitigate those risks. It's very important to be familiar with these two terms for the CISSP examination. Due care can include things like developing policies and procedures, but due diligence means actually taking some sort of action to follow up to make sure procedures are being followed or to inspect for compliance. When we talk about liability, we are trying to discover who is at fault for a particular situation or set of circumstances. If the management employees of your organization do not exercise due care and due diligence, then this can be considered negligence and the company could be responsible for damages. The courts will often look at culpable negligence to determine if there's liability or not. Culpable just meaning wrongful, and negligence, meaning you fail to take some type of action that you should have, and therefore you're responsible for damage that occurred. This generally falls under an 1830 law known as the Prudent Person Rule, which basically states that you should take the actions that another sensible person would do in the same circumstance in order to protect their assets. This led to the development of due care and due diligence as we discussed on the previous slide. You should be familiar with the term downstream liabilities, which means that you can be responsible for damages that you cause to other organizations when a security incident occurs in your organization. For example, if your email system begin sending out malicious e-mails which damage other companies, you could be responsible for those damages if you fail to protect your system appropriately. When we talk about legal liability, it means that you have some responsibility under the law for some type of obligation. This legally recognized obligation basically means that you are expected to perform to a certain set of rules or conduct to protect others from unreasonable risks. When we talk about proximate causation, this is a fault or some type of negligence that can be proven. Obviously, if you violate a law, some type of regulation, a criminal law, or if you steal someone's intellectual property, you can be held responsible for that and be required to pay fines or could even be imprisoned. If you violate due care by some type of unreasonable action, you could be sued by your employees, your customers, or even your stockholders. If you violate someone's privacy, such as releasing your employees personally identifiable information or PII through some type of negligence, then you can be sued by your employees for any damages they incur. It is important to make sure that you take steps to prevent incidents from occurring because negligence can cost you a significant amount of money, reputation, or even your employees. Companies have different requirements depending on their type of industry and their due care responsibilities that they should be following. If you do not take the proper steps to ensure that you meet these responsibilities, the company or the officers of the company could be charged with negligence, which could mean paying fines, paying for damages caused, or even being jailed. In order to prove negligence in a United States civil court or criminal court, it must be proven that the defendant had an obligation or a duty to protect the plaintiff from an unreasonable risk, and that the defendant's failure to protect the plaintiff from that unreasonable risk was a breach of duty, and that was the proximate cause of the plaintiff's damages. This concludes the module. Thank you for watching.
