Y2K and Liability to Third Parties

Share:

Plan for the Worst. In some ways, Y2K is like a hurricane. The weather service can forecast reasonably well where and when it may strike. Injury and damage are foreseeable results. Actual harm and extent of damage cannot be known until the hurricane passes. The best anyone can do is take reasonable precautions beforehand to mitigate its effects. Like a hurricane, Y2K will happen. Unlike a hurricane, however, nothing like Y2K has happened before. There is an absolute, non-negotiable deadline for completing remediation work. There are no established standards of practice, no precedents and few guidelines available to counsel and clients to handle Y2K. Prudence dictates that companies become aware of, and assess the risk and take action to mitigate its impact on the company.

What to Look For

Involved Management. The officers and board of directors must be involved in the remediation effort. Board and management actions should be carefully documented to assure the company that all reasonable efforts are made to control Y2K impact on the company.

Awareness. Employee awareness, effort and cooperation are essential. All employees should be told the company is addressing Y2K and their help and cooperation are needed. Information may be supplied to them on a need-to-know basis and should not be restricted to addressing only technical issues.

Technical efforts. Y2K requires specialized technical skills. Many companies do not have skilled employees to address Y2K technical matters. They should retain outside consultants for the project. Y2K service agreements should be in writing and clearly describe the scope of work, precisely describe what services are to be rendered, specify work and testing schedules and the company’s responsibilities.

Best Practices. There’s no industry standard or test for compliance. There is no single solution for all systems. Information Technology (IT) experts stress awareness and testing as the keys to remediation. Pre- and post-placement testing of remediated systems is the only way to determine if a company has, in fact, achieved compliance within its environment and compliance with its business partners (customers, vendors, service providers).

Risk. Y2K liability may arise from many business practices and activities. For example, from the company’s computers, electronic data exchange agreements, warranties, contracts, product sales literature and service agreements. It may come from external sources, such as business partners’ computers, communications from vendors, suppliers, banks and regulatory agencies. Some internal risks have reciprocal external risks; for example, e-mail.

Claimants. A company may be sued by a business partner in its supply chain. Someone may claim injury and damages predicated on the Y2K status of the company or the company’s suppliers, vendors and service providers. It may be sued by employees, investors or face regulatory discipline despite its best efforts to respond to Y2K.

Risk Management. Business and legal risks overlap. Legal counsel should be involved in all Y2K business risk discussions. Under direction of legal counsel, the company should identify, assess and plan effective measures to control legal risks within and outside the company.

Internal Risks. Legal counsel should review all potential sources of risk within the company. This includes all contracts with business partners, product literature, warranties, service agreements, Y2K disclosure statements and Y2K remediation documentation.

External Risks – Business Partners. It is incumbent on a company to establish actual Y2K compliance with its mission-critical business partners and reconfirm compliance status from time to time. It should examine legal relations with vendors and carefully document efforts to achieve compliance with business partners. A company may need to assist a critical or sole-source vendor achieve compliance. It may need to develop alternative sources of supply. For example, California State agencies require vendors achieve external compliance with state agency systems as a condition to doing business after December 31, 1999.

External Risks – Other. Even when a company achieves internal compliance and compliance with business partners, it still may have liability exposure to other third parties. This depends on what products it sells or services it provides and the effectiveness of its Y2K remediation efforts. Liability may extend to claimants outside the company’s supply chain; for example, to persons who receive bodily injury or incur property damage. A well-conceived, implemented and documented remediation effort can discourage marginal claims.

Reducing Exposure To/From Business Partners. If efforts to achieve Y2K compliance with business partners are not carefully managed, they can quickly lead to an adversarial climate and shift focus away from achieving compliance to legal maneuvering.

For example, assume a vendor (Company A) exchanges electronic data with a critical supplier (Company B). All communications between the companies are by employees in the accounting and sales departments. An employee of Company A tells an employee of Company B she thinks Company A is Y2K compliant. Company B employee says he doesn’t know if Company B is compliant, but will ask. He does and this generates discussion about what to say to Company A.

Meanwhile, Company A employee tells her boss that she told Company B employee that Company A was Y2K compliant. Turns out they are not. Both companies start scrambling. Each tells their respective employees to say nothing and ask no one about Y2K compliance. This is followed by an exchange of broad non-committal Y2K disclosure statements. Subsequent communications manifest an unwillingness to share information. Communications break down replaced by mutual suspicion.

A company can reduce liability risks by cooperating with business partners to achieve mutual compliance. Maintaining open communications, face-to-face meetings, providing Y2K disclosures and information as necessary and agreements on testing are important. Counsel may want to consider drafting a Y2K mutual cooperation agreement. Essential elements include: scope of project, identifying information to be shared, work schedules and periodic reporting, testing schedules, designation of officers responsible for Y2K communications and project coordination, maintaining confidentiality of shared information and a method for resolving disputes, such as ADR.

Review Insurance. There may be no coverage under existing policies. Insurers are adding Y2K exclusions as policies come up for renewal. Management should review all insurance policies and discuss Y2K coverage with the carriers and their attorneys.

Documentation. Create a paper trail of the entire remediation effort. Major corporations are meticulously developing compliance databases to memorialize every Y2K decision, communication, report and test made. Include: Board Resolutions and Minutes authorizing and funding the Y2K project; board and management decisions to make changes to the project, including increase or reduction of allocation of resources; consultant agreements; all reports by employees and consultants; all communications between employees and with consultants, business partners and third parties, including e-mail.

Independent Audits. A company should get independent Y2K technical, financial and legal audits as needed. Publicly-traded companies are required to independently verify their Y2K readiness and include the findings in Readiness Reports filed with the SEC and other agencies. Private companies may be required by creditors to independently certify compliance.

New Law. The Federal Year 2000 Information and Readiness Disclosure Act (Public Law 105-271) became law October, 1998. The Act prohibits the use of written Y2K readiness disclosure statements made after January, 1996 as evidence against the maker (any person may be a maker) of the disclosure to provide the accuracy or truth of the information in any federal or state action. It also precludes oral or written Y2K statements that later prove to be inaccurate from forming the sole basis for liability, unless claimant introduces clear and convincing evidence of: materiality; actual knowledge it was false, inaccurate or misleading, or was made with intent to deceive or with a reckless disregard to accuracy. The Act excludes from protection statements made to consumers.

The intent of the law was to encourage the free exchange of Y2K information between parties. However, the results may be more far reaching. Raising plaintiff’s burden of proof in cases of fraud and gross negligence may shift risk of loss from computer manufacturers, vendors and service providers to business users. Some experts believe the Act makes it impossible to sustain an action in simple negligence against the protected class.

The California Year 2000 Information Disclosure Act (Civil Code Section 3269) provides immunity for tort damages to any person for injury resulting from the gratuitous disclosure of Y2K information. It closely parallels the federal law in concept. It is unclear what affect this law may have in light of the federal law.

The Attorney’s Role. Urge your clients to make a Y2K self-assessment. Suggest they contact government agencies and trade associations for help. A list of publications and websites appears at the end of this article. Before you represent a client on Y2K matters, thoroughly discuss the scope of work and in detail the services you’re going to provide. You need access to all company documents, employees and consultants. Discuss your participation in the Y2K decision-making process and your responsibilities for Y2K communications and documenting the Y2K remediation effort. And don’t forget: put it all in writing, have the client sign and provide a signed copy.

Summary. Businesses should adopt a proactive approach to Y2K. They should inform themselves and everyone in the company about their Y2K problem. They should discover, identify, inventory and remediate Y2K and retain outside IT specialists as necessary. At this late date, companies that have not already begun remediation may be confronted with limited available resources and an impossible deadline for completion. They may have to resort to crisis management, triage and contingency planning to get through. Companies already engaged in remediation efforts may not have adequately addressed, assessed and planned for liability to third parties.

Attorneys should encourage their clients to adopt a proactive approach to Y2K. Y2K is uncharted territory for attorneys. To adequately represent a client, you should have a working knowledge of Y2K technical, business and legal issues.

Y2K Resources. Here is a sample of what is available. There are many more.

Business Publications

SBA self-assessment and checklists. Contact local office to order or go to website.

Year 2000 and You, U.S. General Services. To order, call 888/878-3256 and ask for “Year 2000.”

Countdown to Year 2000, Wells Fargo Bank. Contact local branch for copy.

The Year 2000, Bank of America. Contract local branch for copy.