Prudent man rule

From the financial world based on a case “Harvard College v. Amory” in a 1830 Massachusetts court. The prudent man rule directs trustees "to observe how men of prudence, discretion and intelligence manage their own affairs, not in regard to speculation, but in regard to the permanent disposition of their funds, considering the probable income, as well as the probable safety of the capital to be invested." In summary it meant that people in charge of other people's money must exercise due care and skill, and look after the money as if it were their own.

"prudent man" would invest his own property with the following factors in mind:

the needs of beneficiaries;

the need to preserve the estate (or corpus of the trust);

the amount and regularity of income

The terms reasonable and prudent person, due care and due diligence have been used in the fields of Finance, Securities, and Law for many years. In recent years these terms have found their way into the fields of computing and information security.

Shon Harris offers the following definitions of due care and due diligence:

"Due care are steps that are taken to show that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees." And, [Due diligence are the] "continual activities that make sure the protection mechanisms are continually maintained and operational."
Under legislation senior corporate officers can be personally subject to up to millions in fines or possible if their organisations do not comply with the law.

Management is obligated to protect the business from losses due to natural disasters, malicious code, compromise of proprietary information, and damage to reputation, violation of the law, employee privacy suits, and stockholder suits. Management must follow the "prudent man rule" that requires officers to perform duties with diligence and care that ordinary, prudent people would exercise under similar circumstances. The officers must exercise "due care" or "reasonable care" to carry out their responsibilities to the organization. In exercising due care, corporate officers must institute protections for areas such as access to resources and data confidentiality.

From a legal point of view, there are a few basic rules which will determine if a company being sued is liable or not.  One of the basic rules is “the prudent man rule”, in which the court will try to determine whether the company or individual was acting as a responsible entity. For example, if a database was hacked and a client’s personal data was stolen, the court will attempt to understand if and how the company tried to protect its clients’ data in a prudent and responsible way. Another way for the court to determine liability is by checking if the company exercised due diligence and care. If we go back to the previous example, the court will try to uncover if the company exercised due diligence and researched the potential risks related to the database information, and what actions it took to protect it.

In criminal law, due diligence (also known as due care) is the only available defence to a crime that is one of strict liability (i.e., a crime that only requires an actus reus and no mens rea). Once the criminal offence is proven, the defendant must prove on balance that they did everything possible to prevent the act from happening. It is not enough that they took the normal standard of care in their industry - they must show that they took every reasonable precaution.
Information security due diligence is often undertaken during the information technology procurement process to ensure risks are known and managed. Companies need to practice due care in the operation of their IT systems to prevent security breaches and to have controls in place to mitigate the effect when breaches occur. Failure to practice such due diligence is negligence and increases business risk.