Imagine a simple scenario.
A bank hires a security company to protect its building overnight. The guard steps outside for a smoke break and props the back door open. While he’s gone, someone walks in and steals thousands of dollars in equipment and cash.
What follows is predictable:
Courts routinely recognize that security firms have a duty of care when they’re hired to provide protection. If they fail to perform basic responsibilities—and that failure contributes to a loss—lawsuits follow.
This principle sits squarely in negligence law: duty, breach, causation, and damages. Security firms have been sued for everything from unlocked access points to unpatrolled areas (see Delta Tau Delta v. Johnson, 712 N.E.2d 968 (Ind. 1999), among other premises security cases).
Now consider cybersecurity.
An organization hires an IT team to manage its systems.
Critical vulnerabilities remain unpatched.
Default credentials stay active.
Remote access services sit exposed to the internet.
Eventually, an attacker exploits those weaknesses and steals data — or deploys ransomware.
Yet the response often looks very different.
We hear about “sophisticated hackers,” “APTs,” or “highly advanced cyber campaigns.”
And sometimes… the conversation stops there.
But pause for a moment.
If leaving a physical door open creates liability, why isn’t leaving a known digital vulnerability unpatched treated the same way?
In many cases, it should be.
Modern cybersecurity frameworks — NIST CSF, CIS Critical Security Controls, ISO 27001 — define widely accepted standards for “reasonable” cybersecurity behavior. Regulators increasingly use these standards as benchmarks when evaluating organizational responsibility.
Courts have already begun treating negligent cybersecurity practices as actionable.
This doesn’t mean every breach is an example of cybersecurity negligence. Attackers are creative, and defenses are never perfect.
There’s a meaningful difference between:
Organizations rely on IT teams to maintain the systems that run the business. When patches are ignored, default passwords remain, or basic safeguards are left undone, the resulting risk isn’t mysterious.
It’s predictable.
Cybersecurity is no longer just a technical issue. It is a matter of risk management and organizational accountability.
In the physical world, we understand that a guard who leaves a door open may share responsibility for what happens next.
The digital world is slowly catching up.
Eventually, organizations will face a straightforward question:
Just as physical security firms are recognized as having a duty of care to their customers, so do cybersecurity firms.
And the repercussions for cybersecurity negligence could be just as devastating for ALL involved.
Need help making sure your digital doors are closed? Engage our CISO Support Services to strengthen governance, reduce risk exposure, and align security with business goals.
As organizations race to integrate AI assistants and copilots into everyday work, a new class of risk is quietly taking root: AI prompt risk — the accidental exposure, manipulation, or misuse ...
