🌐 This article is also available in: Deutsch

Due Diligence vs. Due Care: You must know this

Due Diligence vs. Due Care: You must know this

If you’re responsible for a company – whether as a CEO, IT manager, or strategic leader – you’re inevitably dealing with information, IT, and cybersecurity. Two terms that keep coming up in this context are Due Diligence and Due Care. They might sound like legal jargon at first, but in practice, they’re absolutely critical.

This article breaks down what they mean, why they matter to you, and what can happen if you ignore them. You’ll also see what Due Diligence and Due Care look like in day-to-day business.

Due Diligence and Due Care

What is Due Diligence?

Imagine you’re acquiring another company. You want to know if there are any digital skeletons in the closet – outdated systems, open security gaps, or data protection issues. That’s exactly what Due Diligence is about: a structured and thorough check before you make a decision.

In the IT and security context, this means asking questions like:

  • Are sensitive data being stored securely?
  • Is there outdated software or undocumented shadow IT?
  • Which third parties have access to systems or data?
  • Are there security policies in place – and are they being followed?

Example: A mid-sized company acquires an online shop. The check reveals the shop system still runs on PHP 5.6, there’s no two-factor authentication, and admin accounts were never reset. Without these findings, the acquisition could’ve turned into a full-blown security disaster – and a mandatory data breach report to the authorities.

This example shows how crucial a structured data protection risk analysis and a cybersecurity audit are as part of Due Diligence.

Due Diligence and Due Care Comparsion

What is Due Care?

Due Care is the day-to-day counterpart. While Due Diligence is more like a “preventive check” before making a decision, Due Care is your ongoing duty of care in daily operations.

That means, in practical terms:

  • You regularly install security updates.
  • You limit admin rights to the bare minimum.
  • You train your employees in safe IT practices.
  • You test whether your backups actually work.
  • You respond to incidents – before it’s too late.

In short:

  • Due Diligence is the careful look before the decision.
  • Due Care is the responsible action after the decision – every single day.

A strong IT security management system relies on a healthy balance between both principles.

What happens if you ignore both?

Without Due Diligence:
should have known.

Without Due Care:

Real-Life Example:

Due Diligence and Due Care Consequences

What legal consequences are at stake?

If you neglect your duty of care – whether in Due Diligence or Due Care – it can lead to not just operational but also legal consequences:

  • GDPR Violations: Fines of up to 20 million euros or 4% of global annual turnover – whichever is higher. Especially if it’s proven that risks were known but no action was taken.
  • Liability of Management: In Germany, management can be held personally liable (§43 GmbHG, §93 AktG). If you act recklessly or grossly negligently – such as failing to conduct a security check – you may be liable with personal assets.
  • Contractual Penalties and Compensation: If security failures cause harm to customers or partners, you risk claims for damages. Insurance companies can also refuse to pay if basic duty of care was violated.
  • Labor Law Consequences: If incidents are caused by employees who weren’t adequately trained, there could be disputes or lawsuits over wrongful termination if there is no documented awareness campaign in place.

In short: Neglecting your duty of care isn’t just an IT risk – it’s a personal risk to you, and that can get expensive.

Due Diligence and Due Care in the Application of Security Processes in Companies

When it comes to security processes in a company, Due Diligence and Due Care play a particularly crucial role. Both principles are not just theoretical concepts but essential components of an effective IT and cybersecurity strategy. They help minimize risks, maintain customer trust, and meet legal obligations. But what does this really mean in the context of applying security processes? Let’s take a look.

Due Diligence: The Proactive Security Check

Due Diligence in this context refers to the thorough precautionary check. Before implementing security processes, you need to ensure that all relevant aspects of your company’s security have been considered. This is the first step in identifying potential security gaps and risks before they become a problem.

Here are some concrete examples of what Due Diligence includes when implementing security processes:

  1. Risk Management and Security Assessment
  2. Selecting Suitable Security Solutions
  3. Compliance Check
    GDPR (General Data Protection Regulation) or other industry-specific regulations. Due Diligence involves ensuring that all compliance requirements are met before implementing security processes.
  4. Third-Party Security Assessment

Due Care: The Ongoing Duty of Care in Execution

Due Care refers to the continuous duty of care after the security processes have been implemented. You’ve made the right choices, but now it’s about maintaining these processes, monitoring them regularly, and keeping them up-to-date. Security processes aren’t a one-time job – they require ongoing attention and adjustment.

Here are some essential aspects of how Due Care looks in practice:

  1. Regular Security Updates and Patches
  2. Monitoring and Incident Response
  3. Employee Training and Awareness
  4. Data Backup and Recovery Testing
  5. Continuous Risk Assessment

Why is This Important for Companies?

Applying Due Diligence and Due Care in security processes is not only about reducing risks, but also a strategic advantage for your company. When you consistently implement these principles, you can:

  • Minimize costs from security incidents: Security gaps that aren’t detected early can lead to costly data breaches and reputational damage. By applying Due Diligence and Due Care, you can prevent many of these incidents.
  • Avoid legal problems and penalties: Failing to meet security or data protection regulations can have serious legal consequences. By regularly conducting Due Diligence and Due Care, you ensure that you meet legal requirements and minimize risks.
  • Maintain customer and partner trust: A company that can demonstrate it regularly reviews and maintains its security processes gains the trust of customers and partners. This is especially important when handling sensitive data.

Applying Due Diligence and Due Care in the security processes of a company is not a one-time task, but a continuous and ongoing process. Due Diligence ensures that you identify potential security gaps proactively and take appropriate measures, while Due Care ensures that these measures are maintained and adjusted regularly to safeguard your company’s security in the long term.

Without these two principles, you not only risk the security of your IT systems but also face legal and financial consequences. A good security management system is based on a balanced approach between Due Diligence and Due Care – for a secure and sustainable future for your company.