What is Duty of Care? Definition, Examples & Legal Guide Duty of care shows up in more places than most professionals realize. A slip-and-fall lawsuit, an OSHA citation, a derivative suit against a corporate board after a data breach — all of these trace back to the same foundational question: did you take reasonable precautions to avoid foreseeable harm?

Most organizations encounter duty of care obligations long before they fully understand them. And that gap between encountering the standard and understanding it is exactly where liability lives.

This guide covers the legal definition and historical origins of duty of care, how it applies to employers and corporate directors, what breach actually looks like in practice, and — critically — what organizations can do to build a governance posture that holds up when it's tested.

TL;DR

  • Duty of care is the legal obligation to act with reasonable caution to avoid foreseeable harm to others
  • Negligence requires proving five elements: duty, breach, cause in fact, proximate cause, and damages
  • Employers must protect employees under OSHA's General Duty Clause — remote and traveling workers included
  • Corporate directors have a fiduciary duty of care: they must make informed, good-faith decisions — not rubber-stamp management
  • Cybersecurity is now a core duty of care obligation for boards under SEC rules, FTC enforcement, and Delaware case law

What Is Duty of Care? Definition, Origins, and Scope

Duty of care is a legal obligation requiring individuals and organizations to act with reasonable care when their actions could foreseeably harm others. Failing to meet that standard can constitute negligence — and negligence is the basis for most civil liability claims.

The concept operates in two distinct legal domains:

  • Tort law — negligence claims between individuals or organizations where one party's conduct causes harm to another
  • Corporate/agency law — fiduciary obligations requiring directors and officers to act in a corporation's best interests with diligence and good faith

These aren't the same thing, and conflating them causes real confusion. Tort duty of care asks whether a defendant's conduct was reasonable toward someone who might foreseeably be harmed. Fiduciary duty of care asks whether a director made decisions in an informed, deliberate way on behalf of the company and its shareholders.

A second distinction matters here: malfeasance (the defendant's actions created the risk) versus nonfeasance (the defendant failed to act when they should have). Courts analyze these differently — passive failure to act doesn't always create liability the way active harmful conduct does.

Landmark Legal History: Donoghue v Stevenson (1932)

Modern duty of care law traces directly to a 1932 House of Lords decision. In Donoghue v Stevenson [1932] UKHL 100, a ginger beer manufacturer was held potentially liable to an end consumer — despite no contract between them. The consumer had found a decomposed snail in her drink and became ill.

The case turned on Lord Atkin's "neighbor principle" — not the facts themselves:

"You must take reasonable care to avoid acts or omissions which you can reasonably foresee would be likely to injure your neighbour."

Neighbors, in this context, are persons "so closely and directly affected" by your conduct that they ought reasonably to be in your contemplation. That principle — a duty can exist between parties with no prior relationship — became the bedrock of negligence law across common law jurisdictions.

Key Legal Terms to Know

A plaintiff must prove five elements to succeed in a negligence claim:

Element What It Means
Duty The defendant owed the plaintiff a legal obligation of care
Breach The defendant's conduct fell below the applicable standard
Cause in fact The breach actually caused the harm (the "but for" test)
Proximate cause The harm was a foreseeable result of the breach
Damages The plaintiff suffered actual harm

Five elements of negligence proof in duty of care legal claims

The reasonable person standard ties all of this together. Courts don't ask whether the defendant acted perfectly — they ask whether the defendant acted as an ordinarily prudent person would under the same circumstances.

How Courts Determine Whether a Duty of Care Exists

Not every jurisdiction applies the same test. Two approaches dominate U.S. courts:

  • Foreseeability test — Used in Florida and Massachusetts. When a defendant's conduct creates a foreseeable zone of risk, the law recognizes a duty to lessen that risk or ensure sufficient precautions are taken.
  • Multi-factor balancing test — California's Rowland v. Christian factors, adopted by many states, weigh foreseeability of harm, certainty of injury, closeness of the connection between conduct and harm, moral blame, policy of preventing future harm, and the availability of insurance.

The practical implication: whether a duty exists can depend on where the lawsuit is filed.

The Business Judgment Rule in Corporate Law

For corporate directors, the standard shifts. Delaware courts (whose rules govern the majority of U.S. public companies) apply the business judgment rule: courts generally won't second-guess decisions made in good faith, by financially disinterested directors who were adequately informed.

The key word is adequately informed. In Smith v. Van Gorkom (1985), Delaware's Supreme Court found directors grossly negligent for approving a merger without sufficiently informing themselves of material information, despite no allegation of bad faith or self-dealing.

Corporations can limit director exposure through:

  • Charter waivers under DGCL §102(b)(7)
  • Indemnification under DGCL §145
  • Directors and officers (D&O) insurance

None of these protections extend to intentional misconduct, bad faith, loyalty breaches, or knowing legal violations. Directors who rely on them without maintaining adequate oversight still face personal liability when courts look past the protection structures.

Duty of Care in the Workplace: What Employers Must Do

Employers carry both a legal and ethical obligation to protect the physical and mental health, safety, and wellbeing of their workforce. This duty extends to on-site employees, remote workers, traveling employees, and depending on jurisdiction, contractors, interns, and visitors.

OSHA's General Duty Clause

The statutory foundation is OSHA's General Duty Clause, Section 5(a)(1):

Each employer shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm.

"Recognized hazards" is the operative phrase. If an employer knows about a risk — or reasonably should — and fails to mitigate it, OSHA can cite the violation regardless of whether a specific standard covers it.

In February 2023, OSHA cited Amazon at three warehouses for ergonomic hazards, proposing $46,875 in penalties for musculoskeletal risks from lifting frequency, item weight, and awkward positioning. The case shows that enforcement can follow even where no specific ergonomic standard exists — the General Duty Clause fills the gap.

For remote workers, OSHA won't inspect home offices, but employers remain responsible for hazards caused by employer-provided equipment, materials, or required work processes.

Risk Assessments and Crisis Management

An effective workplace risk assessment covers four steps:

  1. Identify hazards — physical, ergonomic, environmental, psychological
  2. Evaluate probability and severity — how likely, how serious
  3. Implement controls — eliminate, substitute, or mitigate
  4. Reassess regularly — as operations, workforce, or environments change

Four-step workplace risk assessment process for employer duty of care compliance

Crisis management plans are a core component of demonstrating employer duty of care. Pre-defined roles, communication protocols, and escalation procedures need to be documented, practiced, and dated. What satisfies the standard: named owners, tested procedures, and records showing the plan was actually used.

Real-World Duty of Care Breach Examples

Abstract legal standards get clearer through concrete cases.

In Wyeth v. Levine (2009), the U.S. Supreme Court upheld a failure-to-warn verdict against drug manufacturer Wyeth over Phenergan's IV-push labeling. Wyeth knew of the risk of irreversible harm and didn't update the label. The breach was straightforward: the precautions taken were insufficient given a foreseeable risk the company already knew about.

Ortega v. Kmart Corp. (2001) established that constructive notice can be inferred when inspection records are absent. California's Supreme Court held that the absence of evidence of a timely inspection was itself evidence of breach — a point that matters in any premises or operational context.

In Marchand v. Barnhill (2019), Delaware's Supreme Court reversed dismissal of a Caremark oversight claim against Blue Bell's board. The problem wasn't that a listeria outbreak occurred. It was that the board had no food-safety monitoring system at the board level — for a company whose entire business was food safety. No system to receive information meant no ability to act on it.

When the CEO Becomes the Defendant

The FTC's 2022 action against Drizly went further than most enforcement actions. Security failures exposed personal data of approximately 2.5 million consumers — and the proposed order applied individually to CEO James Cory Rellas, not just the company. The basis: his personal role in the security failures.

The message to executives and directors: personal exposure follows deficient security governance.

Across all four cases, the standard isn't perfection. Courts and regulators ask whether the precautions taken were reasonable given the foreseeable risk — and whether the governance structure gave responsible parties a real chance to act. Boards with no visibility can't claim they were oversight. That gap is the breach.

Corporate legal team reviewing duty of care breach case documents and compliance records

Duty of Care in Cybersecurity and Corporate Governance

Cybersecurity is a governance matter. The legal and regulatory framework now makes that expectation enforceable, not aspirational.

What the Regulatory Landscape Actually Requires

Three frameworks define the current standard:

  • SEC's 2023 cybersecurity rule (Release No. 33-11216) requires material incident disclosure on Form 8-K within four business days of determining materiality, plus annual disclosures under Regulation S-K Item 106 covering risk management processes, board oversight, and management's role and expertise
  • FTC's Safeguards Rule requires covered financial institutions to implement administrative, technical, and physical safeguards — and FTC enforcement has made clear that "reasonable security" is an enforceable standard, not a suggestion
  • Delaware's Caremark doctrine — reinforced in Marchand — holds that boards can face personal liability for failing to establish reporting systems for mission-critical risks

The financial stakes justify the governance attention. IBM's 2024 Cost of a Data Breach Report puts the global average breach cost at $4.88 million. Verizon's 2024 DBIR analyzed 30,458 security incidents and 10,626 confirmed breaches. That's the operating environment boards are governing in.

What Board-Level Oversight Actually Looks Like

Directors aren't expected to be security engineers. They are expected to:

  • Understand the organization's material cyber risks in plain-English terms
  • Receive regular, credible security briefings — not just annual updates
  • Ask informed questions and push back when reporting is vague
  • Ensure accountability structures (decision rights, escalation thresholds) are defined
  • Document that they engaged — not just received information passively

Five board-level cybersecurity oversight responsibilities for corporate directors duty of care

The distinction matters legally. A board that rubber-stamped a CISO's slides without meaningful engagement looks very different in litigation than a board with documented risk discussions, defined escalation criteria, and evidence of asking hard questions.

Defensible Decision-Making in Practice

"Defensible" has a specific meaning here. A board or executive team is in a defensible position when they can demonstrate:

  • Clear risk reporting was received and understood
  • Informed resource allocation decisions were made and documented
  • Governance frameworks with measurable outcomes were established before an incident
  • Decision rights and escalation thresholds were pre-defined — not invented in crisis

Organizations in transition face heightened scrutiny for a straightforward reason: governance structures are typically weakest during periods of new leadership, M&A activity, post-incident recovery, or rapid regulatory change. Getting oversight infrastructure in place before regulators ask about it is the difference between a defensible posture and a reactive scramble.

This is work I do directly with boards and audit committees — governance-gap diagnostics, board reporting design, and SEC disclosure readiness — helping organizations build credible oversight structures quickly, without a full-time internal hire.

How to Build a Duty of Care Framework That Holds Up

A framework that satisfies duty of care isn't a binder of policies — it's a set of functioning processes with named owners and documented outcomes.

Three foundational steps:

  1. Map risk exposure by role, location, and operational context — on-site, remote, traveling, third-party. You can't govern what you haven't identified.
  2. Define ownership across departments — HR, legal, security, and operations each carry specific duty of care responsibilities. Diffuse ownership means no accountability when something goes wrong.
  3. Document policies and review them on a schedule — regulations change, workforces change, risk environments change. A policy last reviewed three years ago may not reflect your current obligations.

Written policies alone don't satisfy the standard. If employees and managers can't apply those policies under real conditions, the documentation becomes a liability artifact rather than a compliance tool. Regular training, tested escalation paths, and periodic drills are what turn written policies into a defensible position.

Organizations facing new regulatory requirements, emerging from a governance gap, or managing post-incident accountability questions often need to move quickly. A 90-day improvement plan with named owners and measurable milestones is achievable — but it requires clear sequencing, not just a roadmap document.

Three-step duty of care governance framework for organizations building compliance posture

Tyson Martin's advisory work with boards and executive teams follows this structure: identify the gaps, define ownership, and establish a governance rhythm with documentation that holds up to scrutiny. Engagements are scoped to produce measurable outcomes — whether the need is interim CISO leadership or board-level governance oversight.

Frequently Asked Questions

What is meant by a duty of care?

Duty of care is the legal obligation to act with reasonable caution to avoid foreseeable harm to others. It can arise by law, by relationship, or simply by undertaking an action that creates risk for another party — the key question is whether a reasonable person in the same position would have foreseen the potential for harm.

How do you prove a breach of duty of care?

To prove breach, a plaintiff must show three things: the defendant owed a duty, their conduct fell below the reasonable person standard, and that failure directly caused damages. Taking some precautions isn't enough — courts assess whether those precautions were actually sufficient given the foreseeable risk.

What is the difference between duty of care and standard of care?

Duty of care establishes whether a legal obligation exists at all. Standard of care defines the specific level of conduct required to fulfill that duty. The standard varies based on profession, relationship, and circumstances — a surgeon faces a different standard than a property owner, even though both owe duties of care.

What happens when a company breaches its duty of care?

A confirmed breach can result in civil negligence lawsuits, regulatory penalties, reputational damage, and employee turnover. In serious cases involving bad faith, intentional misconduct, or deficient board oversight, directors and officers can face personal liability that D&O insurance and charter waivers won't fully cover.

Does duty of care apply to cybersecurity?

Yes. Courts and regulators apply duty of care standards directly to data security. The SEC mandates material incident and annual governance disclosures; the FTC has imposed individual executive liability for security failures; and Delaware courts have held boards liable for failing to oversee mission-critical risks. Cybersecurity squarely fits that category.

What is your duty of care as a care worker?

Care workers — healthcare aides, social workers, and similar professionals — have a professional duty to protect the health, safety, dignity, and wellbeing of those in their care. This duty is defined by both legal standards and professional codes of conduct, and it typically sets a higher standard than the general reasonable person test.