Jaimandeep Singh

Cybersecurity Professional.

1 minute read

Cyber Security Conversation Series

You can find Part 1 here

Small technicalities don’t matter if we understand the raison d’être

Continuing the discussions with Luke on CISSP, there was this question in his book Think Like a Manager, which talked about due care vs due diligence. The company Rymar Tech was fined for one of its employees taking the private data of the company in the USB drive and walking out. However, the fine was later reduced. Why was the fine reduced?

Due Care vs Due Diligence

I reasoned with Luke that a more plausible impetus for reducing the fine is due diligence. And why? Well, going by method of elimination, let’s first make sense of due care. The Merriam-Webster’s dictionary defines due care as:

The care that an ordinarily reasonable and prudent person would use under the same or similar circumstances.

The lack of due care can lead to legal action at an individual level. However, here we are talking about fines at the corporate level. Due diligence is the term more appropriate for use at corporate laws [1]. Therefore due diligence may be a more appropriate term as the fine was reduced at corporate level and no individual mistakes were pinpointed.

Luke’s Response

This understanding is fine. For the CISSP exam I would remember that ultimate responsibility will fall on management as well as legal action even if the individual is at fault for failing to provide due care. It is not the system administrator we see on TV testifying at Congressional hearings or TV interviews, it is a senior executive. It is because the individual did not practice due care that management will still be responsible.

I would also remember that in the question proper due diligence and due care was practiced at all times. It’s just that they didn’t anticipate an employee walking out with a USB drive, and the law could not let this go without some form of fine even though due diligence and due care was done. And the only way to issue the fine was to use the wording of the law of due care as a penalty, since failure of due diligence isn’t punishable.

Note : This conversation has been published after seeking permission from Luke Ahmed. However, the author is solely responsible for any technical errors due to oversight.

You May Also Enjoy