Fiduciary Duty of Care: Definition, Examples & Legal Obligations Most board members accept their roles understanding they carry legal responsibilities. Far fewer understand exactly what those responsibilities require — or what happens when they fall short.

The fiduciary duty of care sits at the foundation of that legal framework. It governs not just what decisions you make, but how you make them. And courts evaluate that distinction with real consequences: personal liability, reputational damage, and removal from leadership positions.

This post covers the duty of care in plain terms — its legal definition, how it compares to other fiduciary duties, who it applies to, real-world examples including cybersecurity obligations, and what constitutes a breach. It's written for board members, directors, executives, and legal and risk leaders who need to understand their obligations clearly, not just legal professionals parsing case citations.

TL;DR

  • Duty of care requires well-informed, reasonably prudent decisions — courts scrutinize the process, not just whether it worked.
  • It sits alongside duty of loyalty and duty of obedience (or good faith) as the three core fiduciary obligations.
  • Even unintentional breaches can trigger personal liability, reputational harm, and legal action.
  • The business judgment rule protects directors who act in good faith, are adequately informed, and have no conflicting interests.
  • Modern boards now face duty-of-care scrutiny over cybersecurity oversight, driven by the SEC's 2023 cybersecurity disclosure rules.

What Is the Fiduciary Duty of Care?

The fiduciary duty of care is the legal obligation to act with the competence, diligence, and informed judgment of a reasonably prudent person in a similar role under similar circumstances. Section 4.01 of the American Law Institute's Principles of Corporate Governance frames it as acting in good faith, in the corporation's best interests, with the care an ordinarily prudent person in a like position would reasonably exercise.

That "reasonably prudent person" standard has real behavioral meaning for directors and executives:

  • Review materials before meetings, not during them
  • Ask clarifying questions when something doesn't add up
  • Request independent expert analysis on complex or unfamiliar matters
  • Follow up on warning signs raised by auditors or advisors
  • Don't rubber-stamp management recommendations without independent judgment

Process, Not Just Outcome

The duty of care is a process standard, not a results test. A bad business outcome does not automatically mean the duty was violated. Courts look at how a decision was reached, not whether it turned out well.

This is where the business judgment rule comes in. As defined in Aronson v. Lewis, the rule creates a legal presumption that directors acted on an informed basis, in good faith, and in the honest belief that the action served the company's best interests. If that presumption holds, courts will generally not second-guess the substance of a business decision — even a costly one.

Legal Origins and Context

The duty arises primarily in corporate and agency law, where directors and officers owe it to the corporation itself. It also appears in trust law, estate management, and ERISA contexts.

Delaware law, where the majority of U.S. corporations are incorporated, is the dominant legal framework. Under DGCL Section 141(a), corporate boards hold explicit management authority, and fiduciary duties attach directly to that authority. That authority also comes with a specific liability standard: Delaware applies a gross negligence threshold when evaluating whether the business judgment rule's protection is lost. Simple negligence won't strip that protection — but uninformed, disengaged decision-making will.

The Three Primary Fiduciary Duties Explained

The duty of care doesn't exist in isolation. Understanding all three core duties helps clarify where each begins and ends.

Duty of Care

The obligation to remain well-informed before making decisions. In practice, this means:

  • Reviewing meeting materials in advance
  • Asking clarifying questions and requesting expert analysis when needed
  • Investigating irregularities rather than accepting reassurances at face value

This is the duty most directly tied to the quality of the decision-making process.

Duty of Loyalty

The obligation to prioritize the organization's or beneficiary's interests above personal interests. In practice, this means:

  • Disclosing conflicts of interest before deliberation
  • Recusing oneself from related votes
  • Never using insider information for personal gain

The distinction is straightforward: loyalty governs whose interests are served; care governs how well decisions are made.

Duty of Obedience (or Good Faith)

The obligation to act within the law and in alignment with the organization's stated mission and governing documents. For nonprofit boards specifically, BoardSource and the National Council of Nonprofits identify obedience as a distinct third duty — boards cannot approve actions that contradict the organization's chartered purpose, even financially attractive ones.

For corporate boards under Delaware law, good faith is embedded within the broader fiduciary framework rather than treated as a fully separate duty.

Three core fiduciary duties of care loyalty and obedience comparison infographic

Who Owes a Fiduciary Duty of Care?

The duty is tied to legal role and relationship, not job title alone.

These roles clearly carry the duty:

  • Corporate directors and officers, who owe it to the corporation and shareholders under state corporate law
  • Trustees, who owe it to beneficiaries in trust and estate contexts
  • ERISA plan fiduciaries, required by statute to act with "care, skill, prudence, and diligence under the circumstances then prevailing" (29 U.S.C. § 1104(a)(1)(B))
  • Nonprofit board members, who owe it to the organization's mission and those it serves
  • Attorneys and guardians, who owe it to clients and wards respectively

Employees and agents occupy more nuanced territory. Senior executives with access to proprietary or material information may owe a duty of loyalty that courts treat as fiduciary in nature.

In Banks v. Mario Industries of Virginia (Virginia Supreme Court, 2007), an employee who acted as an agent owed fiduciary loyalty in that capacity — but this turned on the specific agent relationship, not employment status alone.

What does not automatically create a fiduciary duty: A general professional relationship or employment contract. The duty typically must be accepted explicitly, often in a governance document or formal role designation, or arise from a recognized legal relationship. Boards and executives who assume the duty carries over from a general business relationship — without a formal role or recognized legal context — may be misreading their actual exposure.

Real-World Examples of the Duty of Care in Action

Board Merger Approval Without Due Diligence — Smith v. Van Gorkom

The landmark 1985 Delaware Supreme Court case Smith v. Van Gorkom remains the defining duty-of-care failure in corporate law. Trans Union's board approved a merger in a two-hour meeting without reviewing financial analysis, without consulting investment bankers, and without meaningful deliberation. The court found the directors breached their duty of care — not because the deal was bad, but because the process was inadequate. Without evidence of a deliberative process, the board had no defense.

Trustee Asset Disposition — Matter of Rothko

In the 1977 New York case involving Mark Rothko's estate, fiduciaries were held liable for selling and consigning artworks at inadequate values — including transactions that benefited related parties. The breach wasn't just the financial loss. It was the failure to obtain independent appraisals or conduct a reasonable valuation process before disposing of significant assets. The lesson extends to any fiduciary disposing of material assets: process documentation isn't a formality — it's the defense.

Cybersecurity Oversight — The Emerging Frontier

Unlike the two cases above, this frontier hasn't fully crystallized in case law — but it's moving fast. The SEC's 2023 cybersecurity rules added Item 106 to Regulation S-K, requiring public companies to disclose how their boards oversee cybersecurity risks. Directors who cannot articulate that oversight — or worse, boards that receive no regular cyber risk reporting — face a governance gap with direct legal implications.

Consider a realistic scenario: a board receives no structured cyber briefings, no risk metrics, no escalation thresholds. A material breach occurs. Management is notified within hours; the board hears about it days later. When plaintiffs or regulators ask whether the board exercised reasonable diligence, the absence of any governance framework becomes difficult to explain.

The Delaware Court of Chancery dismissed oversight claims against the SolarWinds board (2022), demonstrating that the liability bar remains high — but the scrutiny itself is real and growing.

What "reasonably informed" looks like for a modern board comes down to three things:

  • Knowing the organization's current cyber risk posture
  • Understanding which risks are rising or falling (trend, not just status)
  • Having defined escalation thresholds before an incident forces ad hoc decisions

Three pillars of board cybersecurity oversight duty of care compliance framework

Tyson Martin's board advisory work is built around this gap — giving boards the structured reporting and pre-approved escalation frameworks that create a documented, inspectable oversight record. That's what the duty of care requires in practice.

Nonprofit Mission Drift

A nonprofit board that approves significant spending on activities unrelated to its chartered purpose faces dual exposure. Failure to investigate whether proposed expenditures align with the organization's mission can simultaneously breach the duty of care (inadequate process) and the duty of obedience (acting outside organizational mandate). IRS governance guidance and nonprofit watchdog frameworks consistently tie board oversight to mission alignment.

What Constitutes a Breach and What Are the Consequences?

Elements of a Breach Claim

To succeed on a breach of fiduciary duty claim, a plaintiff generally must prove four elements:

  1. A fiduciary duty existed
  2. That duty was breached
  3. Damages were sustained
  4. The breach caused those damages

All four must typically be established. Delaware case law (Dohmen v. Goodman, 2020) confirms that compensatory damages require proof of reliance, causation, and actual damages — not just a process failure in isolation.

Common Forms of Care Breaches

  • Approving transactions without reviewing available financial or legal analysis
  • Accepting management presentations without independent verification
  • Ignoring warning signs flagged by auditors, advisors, or whistleblowers
  • Failing to seek expert input on matters outside the board's existing expertise
  • Treating routine approvals as rubber stamps rather than governance decisions

Consequences of a Breach

Consequence Notes
Monetary damages Direct losses, legal defense costs, and sometimes punitive damages
Reputational harm Public proceedings, press coverage, investor scrutiny
Removal From board, trustee, or officer positions
Professional consequences Loss of licenses, certifications, or industry eligibility

Four consequences of fiduciary duty of care breach monetary reputational professional removal

Those consequences can be partially mitigated. D&O insurance and charter exculpation under DGCL Section 102(b)(7) can limit personal financial exposure for good-faith decisions. Neither applies to bad faith, intentional misconduct, knowing legal violations, or loyalty breaches — directors carry real personal exposure when those lines are crossed.

How Fiduciaries Can Protect Themselves

Document the Process

Courts evaluate process quality, not just outcomes. The strongest defense in any duty-of-care challenge is a clear record of what information was reviewed, which experts were consulted, what questions were asked, and how decisions were reached. Board minutes, meeting materials, and decision logs aren't administrative formalities. They are legal protection.

Structural Protections Available

  • D&O insurance covers losses from claims arising from good-faith decisions made in official roles
  • Charter exculpation provisions (under Delaware law and most state equivalents) can eliminate personal monetary liability for care breaches — but not for bad faith or loyalty violations
  • Indemnification clauses reimburse directors for reasonable legal expenses when proceedings arise from official actions

None of these substitutes for a sound process. They protect directors who made defensible decisions badly communicated, not directors who made no real decision at all.

Address Specialized Risk Domains

Technology and cyber risk pose a particular governance challenge: most boards don't have deep technical expertise, yet they're now accountable for overseeing it. The practical answer isn't hiring a cybersecurity expert to the board — it's ensuring the board receives credible, regular, and decision-ready reporting from someone who can translate risk into business terms.

That typically means establishing defined materiality thresholds (so "does this require board notification?" has an answer before anyone is scrambling), mapping decision rights before an incident forces improvisation, and building dashboards that show risk trends rather than raw activity counts. Independent board advisors — those deliberately separate from the in-house CISO and security vendors — can help boards build exactly that kind of oversight infrastructure. The result is inspectable evidence of informed, ongoing engagement with risk: which is the standard the duty of care actually requires.

Frequently Asked Questions

What is fiduciary duty of care?

The duty of care is the legal obligation of a fiduciary to make decisions with the diligence, competence, and informed judgment of a reasonably prudent person in a similar role under similar circumstances. Courts evaluate the quality of the decision-making process, not just whether the outcome was favorable.

What are the three main fiduciary duties?

The three core fiduciary duties are:

  • Duty of care — informed, diligent decision-making
  • Duty of loyalty — prioritizing the beneficiary's interests over personal interests
  • Duty of obedience / good faith — acting within the law and in alignment with the organization's mission and governing documents

What is the business judgment rule and how does it protect directors?

The business judgment rule is a legal presumption, established in Aronson v. Lewis, that protects directors from liability when they make decisions in good faith, with adequate information, and free of conflicts. Courts generally will not second-guess a business decision when the process behind it was sound.

What happens when a board member breaches the duty of care?

Consequences can include personal monetary liability for damages, reputational harm, removal from the board or trustee role, and potential loss of professional standing. D&O insurance and charter indemnification provisions can limit financial exposure, but they don't cover bad faith or intentional misconduct.

Does the duty of care apply to cybersecurity oversight?

Yes. The SEC's 2023 cybersecurity disclosure rules require public companies to disclose board-level oversight of cyber risks. Directors who cannot demonstrate regular, structured engagement with cyber risk may struggle to satisfy the "reasonably informed" standard — even when the security team beneath them was performing well.