Directors & Officers In The Health Care Industry Must Take Aggressive Action To Protect Their Organizations -- And Themselves -- From A Fatal Infection

I. Introduction

By now you almost certainly know that the Year 2000 problem affects nearly all high, medium and low technology products that depend on date-based calculations for proper operation. This worldwide epidemic has been covered extensively in the popular media, which has publicized its existence, the scope of the problem, the absolute need to treat it before January 1, 2000 and the consequences of inadequate treatment. The disease is real, and can be ignored only at great risk. Inadequate treatment will result in ruinous litigation and business failures.

Obviously, the Year 2000 may have dire ramifications for your enterprise. If you are an officer or director of an organization, regardless of whether it is public, private, for profit or not, the personal consequences of the Millennium Bug infection are potentially disastrous. Capers Jones, President of Software Productivity Research, Inc. and a leading Year 2000 industry analyst, has stated that failure to treat the Year 2000 problem will probably "damage or even end the careers of about half of the senior executives in the United States." He is not alone in forecasting that directors and officers who fail to take aggressive and immediate action to combat the Year 2000 problem will be some of its most conspicuous victims. David Eddy, a specialist in technical treatments for the Year 2000 problem, has opined that "most current boardroom management will not survive Y2K" because they have waited until the final hour to treat Millennium Bug infections, and because they have attempted to distance themselves from the systems that are the life-blood of the modern enterprise. Another author, Mark Stuhlmiller, has cautioned directors and officers that "unless you plan on retiring before the Year 2000, or shortly thereafter, it is time to start questioning your job responsibilities and determining whether you will be adequately protected from legal action... if you don't start planning now, you will retire!"

Can officers and directors afford to ignore the Year 2000 problem or, even if they are aware of it, abdicate responsibility for treating the infection to subordinates? Not if they care about their jobs, and not if they hope to avoid being a target of the widely anticipated wave of Year 2000 lawsuits against officers and directors that will seek to impose millions of dollars in personal liability for everything from failing to make appropriate cost disclosures to breaches of fiduciary duty. Simply stated, executives who fail to take immediate, aggressive and personal action will be playing Russian Roulette with the fortunes of their organizations -- and their own futures.

II. The Millennium Bug Infection is Acute and Potentially Fatal

How did the Millennium Bug infection occur? In the dawn of the computer age, when external storage devices were costly and data entry was labor intensive, executive management sought efficiencies in storing, entering and displaying data. Dates were entered and stored in six digit fields, accounting only for the day, month and year. The century was implied, and not explicitly stored. This is a workable assumption until twenty-first century data is introduced and programs lose the ability to distinguish between dates. In the dd/mm/yy programming format that has been the norm for forty years, January 1, 1900 is stored precisely the same way as January 1, 2000 -- 01/01/00. Hence, the birth of the Millennium Bug.

Because of the long latency period, the Millennium Bug may sound more like a benign parasite than a ruthless killer. However, no one is immune from infection. The Year 2000 problem is pervasive and is potentially deadly for those organizations which fail to combat the disease because any equipment that is infected but not treated will either fail entirely or produce unreliable results. Nearly every organization will be affected by the two digit rollover that will occur when 1999 becomes 2000.

The Millennium Bug has attacked new and old hosts alike. Software applications, hardware, platforms, personal computers, local area networks, mainframes, client-server networks, compilers, operating systems, queries, archives, data bases, screens, reports, embedded files, applications, software utilities and data are all infected to some degree. Any piece of equipment or machinery that incorporates and relies on a computer chip with date-coded logic may also be infected with the Millennium Bug.

What makes the Millennium Bug infection different from other business health issues, and why should directors and officers take a personal interest? The Year 2000 problem is unique because:

• The consequences of failing to treat the infection, and of inadequate treatment, are known and can be reasonably anticipated by an ordinarily prudent businessperson.It must be contained within a short and very definite time frame.There is no "silver bullet" medicine available to cure the infection, and because of the sheer volume, complexity and diversity of the vulnerable systems in use at the typical organization, a single "magic fix" is not likely to be developed.The money required for treatment must be spent just to survive, and will not necessarily result in new or improved products or services.
• All of the entities with whom you do business, including most of your critical suppliers, customers and key business partners must also treat their infections.

How extensive is the infection? Its severity, particularly in the United States, has obviously been greatly exacerbated because our society has thoroughly embraced systems that depend heavily on date-based calculations. That reliance has become so extensive in the business world that the phrase "the computer is down" is now synonymous with "I am temporarily -- and perhaps permanently -- out of business."

The costs of combating the Year 2000 problem are directly related to the volume of systems vulnerable to infection and the rapidly closing window of opportunity. Therefore, treatment will be extremely expensive for most enterprises. It has been estimated that a typical large organization can expect to spend about $100 million. The Gartner Group, another industry analyst, reports that Prudential Insurance has budgeted $150 million to treat its Year 2000 infection. There are unconfirmed reports that Federal Express anticipates treatment costs in the $500 million range. In that context, it should come as no surprise that the costs associated with treating the disease in this country will run into the billions of dollars.

Capers Jones has calculated that nearly $300 billion will be spent in the United States on the Year 2000 problem between 1997 and 2005. At least $100 billion of that amount will be the result of compensatory and punitive damage awards against organizations that did not adequately address their Year 2000 problem. Legal fees associated with those Year 2000 lawsuits are likely to top $2 billion, according to Jones, the equivalent of $750,000 a year between 1997 and 2005 for any larger-sized business enterprise. Gartner Group, another analyst of the financial consequences of the Year 2000 problem, estimates that $300 billion to $600 billion will be spent worldwide just to treat the infection. Others contend that the total price tag for dealing with the fallout of the Millennium Bug infection will exceed one trillion dollars. The financial impact of the Year 2000 problem is clearly too large to ignore.

III. Directors and Officers May Face Personal Liability If They Do Not Take Aggressive Steps to Eradicate Existing Infections and to Treat Related Manifestations

Even in the best of times, directors and officers are subject to a substantial risk of personal liability for the costs of settlements, judgments and defense costs associated with lawsuits that may be asserted under statutory and common law principles. If executive management does not adequately fulfill its fiduciary duty of due care in treating, containing and eradicating the Year 2000 problem, or if it fails to make adequate disclosures to its investors regarding anticipated treatment costs, there is a strong likelihood that directors and officers will be held personally responsible.

Directors are legally bound by the fiduciary duties of loyalty and due care to ensure that corporations are managed in the best interests of their shareholders. To satisfy those fiduciary duties, directors must develop business strategies, and select and supervise officers to implement them. Directors must also establish major policies, evaluate the performance of management, review the financial status of the corporation, submit information about the financial condition of the corporation to the shareholders and government regulators, and authorize and monitor securities transactions. All of these activities expose directors to personal liability.

The duty of loyalty may become an issue in the Year 2000 context in that it embraces certain disclosure obligations distinct from those imposed by federal securities laws. However, when the efforts undertaken by executive management to eradicate the Millennium Bug infection comes under scrutiny, the duty of care is the fiduciary obligation that will be the primary weapon of angry shareholders.

The duty of care requires that director decisions be made on an informed basis following "reasonable diligence" in gathering and considering all material information. The adequacy of the information gathering and deliberation process, rather than the results of the decision itself, is the determinative factor. The precise formulation of the duty of care owed by directors varies from state to state. However, if a director has, in good faith, acted on an informed basis in the honest belief that his decision was in the best interests of the company, it is generally presumed that the fiduciary duty of due care has been satisfied. The protection afforded for decisions made upon reasonably adequate information and deliberation is known as the "Business Judgment Rule." It is based on the key presumption that the decision in question was made after appropriate deliberation by the board. It is not applicable in instances where, in the absence of a conscious and documented decision, the directors have failed to act at all. In other words, directors must act with the requisite care in the discharge of their duties as stewards of the company assets.

Directors may further limit their potential personal liability by retaining and relying on the advice of experts, counsel or committees formed to supervise and monitor important corporate activities. As noted in the Comment to Section 4.01(b) in the Analysis and Recommendations section of the Principles of Corporate Governance, delegation and reliance is a necessity dictated by the size and complexity of the modern corporation:

Thus, directors may discharge their fiduciary duty of due care by delegating and relying on others inside and outside the enterprise such as legal counsel, accountants and other competent professionals. Indeed, directors may be in breach of the fiduciary duty of care if they fail to obtain advice from outside experts. Directors may not abdicate responsibility altogether, though. Ignorance and inexperience are not viable defenses. Directors must exercise reasonable care in their selection of officers, subordinates, outside advisors or committee members to ensure they are capable of performing the task. Those who choose to delegate must, as always, monitor and supervise the activities of the officers, subordinates, outside advisors and committees that have been appointed.

These fundamental principles regarding the duty of due care will almost certainly be put to the test by the Year 2000 problem, particularly in the context of derivative suits. Federal and state laws in every jurisdiction allow a shareholder to bring a cause of action to enforce the rights of the corporation. Any breach of the fiduciary duty of due care that results in harm to the corporation may give rise to a derivative claim against the directors and officers of the corporation.

It is not difficult to envision that at least two breaches of duty commonly alleged in derivative suits -- namely, the approval of improper or excessive corporate expenditures and the general neglect or mismanagement of the corporation -- could easily be applied in the Year 2000 context. If executive management fails to appreciate the seriousness of the Year 2000 problem and the value of its stock declines due to the lack of any attempt to treat the infection, shareholders will sue. Directors and officers will be held personally liable for millions of dollars in damages if they have not done their homework on the Year 2000 problem, and have not taken appropriate preventative measures. All of these efforts need to be carefully documented, so that executive management is not vulnerable to charges that it wasted corporate assets on treating the infection when the company sails through the Year 2000 without problems because of the aggressive steps taken to prevent a catastrophe.

In sum, now that the existence of the Millennium Bug infection, its pervasiveness and the potentially ruinous consequences have been so widely publicized, directors and officers charged with breaching their duty of due care for failing to take aggressive steps to treat the Year 2000 problem will not be able to rely on ignorance as a defense. Directors and officers need to treat their internal Millennium Bug infections, ensure that their organizations will not be crippled if their external suppliers, customers and business partners fail to adequately treat their own Year 2000 problems, develop strategies to avoid legal liabilities, and finally, pursue all possible avenues of cost recovery. If directors and officers fail to do so, they may be held personally liable for breaching their fiduciary duty of due care.

As a general rule, all corporations -- no matter whether they are public, private, for profit or not for profit -- are required to make adequate disclosures regarding the financial health of the enterprise. For private corporations, the risk of failing to disclose material information manifests itself in fraud claims. Fraud may also be asserted against the directors and officers of a public corporation, but if they have federal reporting duties their greatest exposure lies in complying with the obligations imposed by federal securities laws.

Directors and officers of public companies can be held personally liable under the Securities Act of 1933 and the Securities Exchange Act of 1934 for a number of activities -- including the registration of publicly issued securities, reporting obligations on Forms 10-K, 10-Q and 8-K, soliciting proxies, ongoing disclosures to investors and the financial community and the dissemination of financial information for inclusion in registration statements and periodic reports. Regardless of the reporting activity involved, companies are typically required to disclose all "material" information. Financial information is "material" if there is "a substantial likelihood that a reasonable shareholder would consider it important" in making decisions about his or her investment in the company. TSC Industries, Inc. v. Northway, Inc., 426 U.S. 224 (1988). This general rule applies both to historical facts and prospective events.

With respect to the obligation to disclose information relating to contingent events, the Supreme Court in TSC Industries stated that materiality depends on a balancing of "the indicated probability that the event will occur and the anticipated magnitude of the event in light of the totality of the company activity." Directors and officers have an affirmative obligation to ferret out and disclose this type of financial information. The Securities and Exchange Commission (SEC) has stated, in a comparable context, that "when important events central to the company are involved, directors have a responsibility affirmatively to keep themselves informed of developments within the company and to seek out the nature of corporate disclosures to determine if adequate disclosures are being made." Securities Exchange Act Release No. 34-14380 (January 16, 1978).

These principles are reflected in Management's Discussion and Analysis of Financial Condition and Results of Operations ("MD&A"), as required by the integrated disclosure system adopted by the SEC and codified in Item 303(a) of Regulation S-K. The MD&A instructs all registrants under the Securities Act of 1933 and reporting companies under the Securities Exchange Act of 1934 to discuss historical performance and current financial condition. More importantly in light of the pervasive Year 2000 problem, preparation of the MD&A requires the disclosure of information concerning trends, uncertainties and other circumstances that may have a material impact in the future. For example, "material commitments for capital expenditures" and "the general purpose of such commitments and the anticipated funds needed to fulfill such commitments" must be described. From a historical perspective the MD&A must discuss "any unusual or infrequent events or transactions or any significant economic changes" that materially affected reported income from continuing operations. As for prospective analysis, the MD&A must analyze "any known trends or uncertainties that have had or that the registrant reasonably expects will have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations."

The SEC has not yet been called upon to determine in a case specific context whether Year 2000 treatment costs are material and subject to disclosure. However, in its Report To The Congress On The Readiness Of The United States Securities Industry And Public Companies To Meet The Information Processing Challenges Of The Year 2000, the SEC stated:

Questions have been asked about the nature of disclosure that should be made by public companies regarding the Year 2000 problem. Companies may be undertaking major research and development projects in order to address this problem. To the extent the problem is not successfully addressed, material adverse consequences could follow, depending on the extent of the problem and the nature of the industry and the computer software. Companies should review on an ongoing basis the need for disclosures concerning projected expenditures and uncertainties associated with Year 2000 consequences, particularly in connection with their forthcoming reports or registration statements to be filed with the Commission.

Consideration should be given to whether either the costs of addressing the problem or the consequences of incomplete or untimely resolution of the problem represent a known material event or uncertainty that would affect future financial results, or cause reported financial information not to be necessarily indicative of future operating results or future financial condition. As such, appropriate disclosure should be made in "Management's Discussion and Analysis of Financial Condition and Results of Operations" (Item 303 of Regulation S-K and S-B) in the company's reports on Form 10-K (10-KSB) and 10-Q(10-QSB).

Companies also should consider other disclosure requirements, such as "Description of Business" (Item 303 of Regulation S-K and S-B) and rules requiring disclosure of any additional material information, beyond information specifically required to be disclosed, that is necessary to make the required statements not misleading (Securities Act Rule 408 and Exchange Act Rule 12b-20).

Accordingly, there can be little doubt that the SEC, not to mention other federal and state agencies with enforcement or supervisory responsibility over disclosure related obligations, will take the position that Year 2000 treatment costs are material and must be disclosed. This is particularly true in light of the increasing vigilance demonstrated by the SEC over the past fifteen or twenty years with respect to the sufficiency of MD&A disclosures. Since 1980, when the MD&A was added as part of the disclosure requirements under the Securities Act of 1933 and the Securities and Exchange Act of 1934, the SEC has repeatedly stressed the need for meaningful disclosures. The information deemed material and subject to disclosure by the SEC has constantly been expanding, particularly data that is likely to impact future performance. That view is reflected in Release 33-6835 (May 18, 1989), in which the SEC stated that the "MD&A requirements are intended to provide, in one section of a filing, material historical and prospective textual disclosure enabling investors and other users to assess the financial condition and results of operations of the registrant, with particular emphasis on the registrant's prospects for the future."

Uncertainties over the availability of financial resources, uncertainties of the continued viability of major customers, suppliers or other key business partners and numerous other known uncertainties -- all of which describe the known manifestations of the Millennium Bug infection -- are typical examples of the trends, demands, commitments, events, transactions and uncertainties which may materially affect operational results, liquidity and capital resources, and all of which must be disclosed. It will be difficult for any company which is planning to spend or has spent millions of dollars to treat its Millennium Bug infection to credibly contend that these large, extraordinary expenses were not material and did not have to be disclosed.

The materiality of these costs will be greatly magnified by the tax treatment that may be required. It is likely that the Internal Revenue Service will resist any attempt to write-off treatment costs as currently deductible expenses given the amount of dollars involved. If treatment costs must be amortized rather than deducted as a current year expense, there will certainly be a significant impact on after tax income. Thus, the costs incurred to treat a Millennium Bug infection may have a very significant -- and thus material -- impact on the bottom line for any company that is actively combating the Year 2000 problem, further exacerbating the myriad disclosure issues that must be considered.

Although recent legislation has been passed to make it more difficult for investors to successfully prosecute claims based on alleged inadequacies in MD&A disclosures, the safe harbors that were created will be of little comfort to those companies who file MD&As with forward looking statements that do not make appropriate Year 2000 disclosures. Remember that by the time disclosure issues reach the trial stage jurors will not be rendering judgment based on what is known in 1997 or 1998 about the scope of the Millennium Bug infection and its potential ramifications. To the contrary, when these cases are tried in the Year 2000, 2001, 2002 and later, the conduct of directors and officers will be judged under a much more rigorous standard by people who have witnessed or experienced the consequences of the Year 2000 problem. They will not have much sympathy for directors and officers who failed to disclose material information and who did not take appropriate action because they either ignored or failed to appreciate the warning signs regarding the gravity of the problem.

IV. The Health Care Industry Has a Very High Level of Exposure

The health care industry has always been one of the most risk intensive environments in the United States. That exposure will be exacerbated by the Year 2000 problem, regardless of whether your organization is traditionally structured or part of an integrated delivery system, public or private, for profit or not. In addition to the significant and staggering risks created by the infection of financial systems, the tort liability exposures cannot be ignored. Indeed, the following examples provide a compelling illustration of the potential impact of the Year 2000 problem:

All of these examples highlight exposures arising out of Millennium Bug infections caused by the products which rely on date-coded microchips. Hospital directors and officers have an obligation to ensure that functioning medical equipment has been acquired to provide the care offered by the institution, and that it has been adequately maintained. If appropriate measures have not been implemented to treat the Year 2000 problem in these and other hosts in the hospital environment, directors and officers may be held personally liable for breaching the duty of due care if patients are harmed because of biomedical equipment that has been infected with the Millennium Bug.

V. The Patient Can Be Saved

The Business Judgment Rule and various statutory safe harbor provisions suggest that directors and officers can take a number of steps to protect their organizations, their jobs and their futures from a fatal Millennium Bug infection. However, immediate action and sustained executive management focus is required to ensure that the disease is contained or eradicated altogether. To achieve that objective, and to minimize exposure to personal liability for consequences arising out of the Millennium Bug infection, the following blueprint should be adopted to meet the particular needs of your organization and aggressively implemented:

VI. Conclusion

The Year 2000 problem is real and cannot be ignored. The consequences of infection will be devastating, particularly for those directors and officers who dismiss its seriousness. The Year 2000 problem will initiate an unprecedented level of litigation, and the unwary will be ravaged. Executive management must take immediate and aggressive steps to protect themselves and their organizations. Only those who tackle the Year 2000 problem with both technical and legal resources will be prepared to meet "the ultimate risk management challenge of the century."

VII. About Michael R. Cashman

Michael R. Cashman is a member of Zelle & Larson, a national law firm with offices in Minneapolis, Boston, Dallas, Los Angeles, Miami and San Francisco. Mr. Cashman specializes in complex business and insurance coverage litigation. He helped found the Year 2000 Practice Group at Zelle & Larson to assist organizations and individuals in their efforts to grapple with the consequences of the Millennium Bug. Mr. Cashman can be reached in the Minneapolis office of Zelle & Larson (City Center Suite 4400, 33 South Sixth Street, Minneapolis, MN 55402), by telephone (612-336-9123), facsimile (612-336-9100) or e-mail (mcashman@zelle.com).