Which of the following means that a company did all it could have reasonably done to prevent a security breach?

A.
Downstream liability

B.
Responsibility

C.
Due diligence

D.
Due care

Explanation:
D: Due care means that a company did all it could have reasonably done, under the circumstances, to prevent security breaches, and also took
reasonable steps to ensure that if a security breach did take place, proper controls or countermeasures were in place to mitigate the damages. In short,
due care means that a company practiced common sense and prudent management and acted responsibly. If a company has a facility that burns to the
ground, the arsonist is only one small piece of this tragedy. The company is responsible for providing fire detection and suppression systems, fire-resistant
construction material in certain areas, alarms, exits, fire extinguishers, and backups of all the important information that could be affected by a fire. If a fire
burns a company’s building to the ground and consumes all the records (customer data, inventory records, and similar information that is necessary to
rebuild the business), then the company did not exercise due care to ensure it was protected from such loss (by backing up to an offsite location, for
example). In this case, the employees, shareholders, customers, and everyone affected could potentially successfully sue the company. However, if the
company did everything expected of it in the previously listed respects, it is harder to successfully sue for failure to practice due care.
A is incorrect because downstream liability means that one company’s activitiesor lack of themcan negatively affect another company. If one of the
companies does not provide the necessary level of protection and its negligence affects a partner it is working with, the affected company can sue the
upstream company. For example, let’s say company A and company B have constructed an extranet. Company A does not put in controls to detect and
deal with viruses. Company A gets infected with a destructive virus, which is spread to company B through the extranet. The virus corrupts critical data and
causes a massive disruption to company B’s production. Therefore, company B can sue company A for being negligent. This is example of downstream
liability.
B is incorrect because responsibility generally refers to the obligations and expected actions and behaviors of a particular party. An obligation may have
a defined set of specific actions that are required, or a more general and open approach, which enables the party to decide how it will fulfill the particular
obligation. Due diligence is a better answer to this question. Responsibility is not considered a legal term as the other answers are.
C is incorrect because due diligence means that the company properly investigated all of its possible weaknesses and vulnerabilities. Before you can
figure out how to properly protect yourself, you need to find out what it is you are protecting yourself against. This is what due diligence is all about
researching and assessing the current level of vulnerabilities so that the true risk level is understood. Only after these steps and assessments take place
can effective controls and safeguards be identified and implemented. Due diligence is identifying all of the potential risks and due care is actually doing
something to mitigate those risks.