What “Due Care” Means for Small Business Owners — And Why Ignoring It Can Cost You Everything

Most small business owners treat cybersecurity, data protection, and IT compliance as technical headaches. They hand off the keys to an internal "tech person" or an outside vendor and assume the responsibility is off their plate.

Whew! The Easy Button. That Was Easy.

In reality, cybersecurity is fundamentally a management obligation governed by a critical legal and operational concept: due care.

Understanding "Due Care" in Plain English

In the business world, due care is the legal standard that dictates leadership must take reasonable, prudent steps to protect company assets, customer data, and operational systems. Think of it as the business equivalent of wearing a seatbelt or maintaining the brakes on a delivery truck. It is the baseline level of care required to avoid allegations of negligence.

If your business suffers a data breach, courts, insurance companies, and regulatory bodies will not ask if your security was impenetrable. Instead, they will evaluate whether management actively exercised due care before and after the incident.

They’ll ask, did management manage their IT infrastructure?

If you cannot prove that you took reasonable steps to secure your environment, your cyber insurance claim could be denied, regulatory fines can skyrocket, and your business could face devastating legal liabilities.

The 5-Step Due Care Framework for Leadership

Exercising due care does not require an enterprise-level budget or a flawless, un-hackable infrastructure. It requires consistent, documented managerial oversight.

You can fulfill your management obligations by executing this simple five-step framework:

1. Identify Risks: Regularly assess where your sensitive data lives (e.g., customer credit cards, employee tax records, proprietary workflows) and pinpoint potential vulnerabilities.

2. Establish Expectations: Define clear security behaviors for your team. This includes implementing strong password requirements, mandating multi-factor authentication (MFA), and outlining acceptable technology use policies.

3. Implement Controls: Put basic safeguards in place. Ensure you deploy reliable data backups, manage vendor access strictly, keep software updated, and provide ongoing security awareness training to your staff.

4. Verify Performance: Do not assume everything is working just because nobody is complaining. Conduct routine reviews of your security posture, test your data restoration capabilities, and audit user permissions.

5. Document Oversight: If it isn't documented, it didn't happen. Maintain written records of your security policies, employee training logs, vendor agreements, and management reviews. This documentation serves as your legal shield if a breach occurs.

Assumptions

In the context of due care obligations, assumption is a small business owner's greatest vulnerability. Many leaders fall into the trap of assuming that because they have outsourced their IT to a third-party vendor or an internal tech person, their management responsibilities are fully covered. Or, internally, they just assume everything is being managed appropriately and everything us hunky-dorey.

However, under the legal standard of due care, outsourced operations do not mean abdicated responsibility. Courts and insurance providers evaluate whether management actively monitored, verified, and documented their security safeguards—not just whether they hired help. Relying on the assumption that "everything is fine because no one is complaining" creates a dangerous gap in oversight that can invalidate cyber insurance claims and leave a business legally exposed if a breach occurs.

The Bottom Line

Due care is not optional. Managing is a core responsibility of running a modern company. When you actively supervise your IT strategy and clearly communicate expectations, your operational risk decreases, technology costs stabilize, and organizational accountability becomes clear.

Ultimately, outsourced IT does not mean abdicated responsibility. Stay in control of your technology to protect your business, your clients, and your bottom line.

If you’ve got questions, I’ve got answers.

R