|
|
|
|
|
Year 2000 Computer Failures:Managing the Business and Legal RisksSteven H. Goldberg, Cosgrove, Eisenberg & Kiley, P.C.
The "Year 2000" problem refers to the inability of most computers to process date information later than December 31, 1999. Date codes in most programs are abbreviated to allow only two digits for the year, e.g., "97." Unless these programs are converted to handle the century date change, they will interpret the year "00," that is, 2000, as 1900. When that happens, some computers won't work at all and others will suffer critical calculation and other processing errors. Because of the unprecedented scope of the problem, long lead times of several years are required to assess, correct and test automated systems to prevent computer failures and operational disruptions. Although the problem is fundamentally a technical one, public and private enterprises should recognize the significant legal issues that will arise from Year 2000 failures and take appropriate measures now to protect themselves, their shareholders and their customers from liability exposure, financial losses and business interruptions. Indeed, directors and officers may have fiduciary duties to exercise due diligence to investigate and disclose potential Year 2000 problems. Avoiding foreseeable Year 2000 trouble spots also will help companies reduce their vulnerability to litigation and identify potential claims against non-compliant vendors. THE TECHNICAL PROBLEM A simple example of the Year 2000 problem is the calculation of someone's age, a vital piece of information for many business, government and professional computer applications. A person who was born in 1935 will turn 65 in 2000. But computers that cannot correctly process 21st century dates would subtract 1935 from 1900 and calculate the individual's age to be -35 (or possibly 35). Similarly, a credit card issued for four years starting in 1998 might not work because computers would think the card expired 96 years ago in 1902. The problem is a serious one because computers use dates in many ways and for many purposes. Date information is critical to carrying out financial transactions, processing claims, establishing eligibility for various programs and services, and operating telecommunications, scheduling and process control systems. Possible consequences of Year 2000 failures include: • erroneous cancellation of customer accounts, orders and shipments of goods and supplies; • premature expiration of licenses, credit cards and drug prescriptions; • miscalculation (or non-payment) of employee compensation, pension and other fringe benefits, interest, and dividends; • inability to issue invoices, track accounts receivable and payable, execute stock and bond trades, and process tax, loan and lease payments; • malfunctioning of electronic data interchange systems, computerized assembly lines, power generating systems, waste treatment plants, and security and HVAC systems; • rejection of valid insurance claims and miscalculation of premiums; and • disruption of airline reservation systems, vehicle and equipment maintenance schedules, warehouse operations, and inventory control. THE MANAGEMENT CHALLENGE OF THE CENTURY Reprogramming computers to achieve Year 2000 compliance is technologically feasible. However, great difficulties will arise because virtually all computer systems, large and small, public and private, perform hundreds or thousands of date calculations, all of which must be located, reprogrammed and tested at enormous cost over a relatively short period of time. The project management demands of Year 2000 conversions pose one of the most difficult and expensive logistical undertakings in human history. Moreover, Year 2000 impacts will not be isolated within Information Technology ("IT") departments. The management challenge extends throughout the enterprise, as well as to the suppliers and service providers the organization depends upon and the business partners, customers and clients who depend upon the organization. Gartner Group estimates that converting computer systems to handle 21st century date information will cost $400 - $600 billion world-wide.(1) Software Productivity Research, Inc. puts the total cost, including software, hardware and database repairs, plus litigation expenses and damage awards, at $1.635 trillion.(2) Money aside, industry analysts agree that there is little likelihood that serious Year 2000 failures can be avoided entirely. Gartner Group estimates that 25% - 50% of all computerized organizations will not achieve full Year 2000 compliance in time.(3) A Standish Group International study reports that more than 90% of all IT projects are delivered late or never completed.(4) Even organizations that achieve Year 2000 compliance for their own computer systems may still confront serious obstacles if important suppliers and service providers fail to do so. The Tactical Strategy Group, Inc. recently observed that "Most industries are focused solely on resolving internal year 2000 problems and are ignoring third-party risk factors that could be much more devastating."(5) Responsible companies should not assume that their trading partners are taking appropriate measures to achieve Year 2000 compliance. Software Productivity Research suggests that "mid-sized corporations will probably be late in getting started on their year 2000 repairs, will under estimate and under budget for their year 2000 work, will not bring in the appropriate tools and specialists, and will probably not have any contingency plans in place on what to do with applications that don't make the changes in time."(6) Because "enterprises are now linked together electronically," SPR believes that "entire industries are going to be affected" by the year 2000 problem.(7) Until recently, senior management in most private and public sector organizations have neither been fully aware of the nature or extent of the Year 2000 problem nor actively involved in responding to it. Because Year 2000 failures threaten the viability of the enterprise and require all business units to prepare for the inevitable disruptions, directors and officers must lead the response to the crisis. RESPONDING EFFECTIVELY TO YEAR 2000 BUSINESS AND LEGAL RISKS Widespread failures of computer systems around the world in all economic sectors are likely to give rise to significant business disruptions, financial losses and attendant legal exposure. Achieving internal Year 2000 compliance of one's own computers, although enormously difficult and expensive, is only half the challenge. In order to anticipate and respond to operational disruptions caused by external IT failures, organizations should undertake legal audits to identify outside business relationships that might be vulnerable to Year 2000 non-compliance. To do so, they must collect detailed information from those vendors and suppliers about their efforts to achieve compliance, and develop, implement and audit informed risk management strategies. By undertaking such a comprehensive effort to prepare for Year 2000, organizations will be able to:
A Year 2000 legal audit should include the following measures: Contract Review and Negotiations. All contracts, insurance policies and procurements should be reviewed to evaluate the company's liability exposure and the legal responsibilities of third parties which could affect the company's ability to achieve Year 2000 compliance and conduct its business. The review should include representation, warranty, remedy, force majeure, and indemnification provisions in all contracts that are critical to the organization's mission, including both products and outsourced services such as data processing, facilities management, telecommunications, and distribution. New contracts should clearly assign responsibility for Year 2000 compliance and provide audit mechanisms to verify achievement of project milestones. Requests for Compliance Information. Key suppliers and service providers should be contacted in writing for information about their ability to fulfill their responsibilities after 1999. This information is critical to identifying risky business dependencies and developing contingency plans. Detailed information about the scope of the problem, the use of qualified consultants, project schedules, and fallback options should be explored. Required Disclosures. Accounting standards, auditing requirements, tax and securities laws, other regulatory requirements (e.g. banking, insurance, environmental), and financings, mergers and acquisitions may impose obligations on companies and institutions to exercise due diligence to investigate and disclose material information about potential adverse effects of internal or external Year 2000 failures. Directors and Officers Liability. Board members and senior executives may face personal liability if they fail to exercise reasonable business judgment in connection with Year 2000 problems. Special care must be taken to act in accordance with fiduciary duties and comply with the requirements of indemnification provisions and D & O insurance policies. Litigation Prevention and Control. The prospects of litigation by shareholders, customers, enforcement agencies, and private individuals arising from Year 2000 non-compliance are significant. SPR predicts that the costs and damage awards of Year 2000-related law suits "will probably far exceed the direct costs of repairing the problem itself."(8) Appropriate steps should be taken to document the company's own compliance efforts, maintain the confidentiality of privileged communications and preserve claims against third parties whose failure to achieve Year 2000 compliance could interfere with the company's operations or expose it to losses or lawsuits. Insurance carriers should be notified of potential claims. CONCLUSION An ounce of prevention is the recommended strategy for mitigating the business and legal risks of Year 2000 computer failures. Companies that plan for external Year 2000 problems by working with their trading partners while there is still time to adjust contract terms and develop contingency plans will be in the best position to maintain operations and avoid or reduce liability exposure. Such enterprises may also secure an advantage in the marketplace against competitors that fail to do so. 1. W. Ulrich and I. Hayes, The Year 2000 Software Crisis, p. 7 (Prentice Hall 1997). 2. C. Jones, Software Productivity Research, Inc., The Global Economic Impact of the Year 2000 Software Problem, p. 58 (Jan. 23, 1997). 3. Ulrich and Hayes, ibid., p. 8. 4. Ibid., p. 2. 5. W. Ulrich, "Third-Party Time Bombs," Information Week, June 2, 1997. To the same effect, Peter deJager and Richard Bergeron believe that "outside factors can bring down your enterprise, even if you do have all your internal applications upgraded and 2000-ready." Managing 00: Surviving the Year 2000 Computing Crisis, p. 17 (Wiley 1997). 6. SPR believes that "lag time in getting started means that a significant number of companies will still be working on year 2000 repairs when the clock runs out at midnight on December 31, 1999." Jones, ibid., p. 29. But Ulrich reports that "[a] recent International Data Corp. study found that only 2.8% of CIOs surveyed believe they will miss their year 2000 deadline." W. Ulrich, "A Serious State of Delusion," Information Week, May 1997. 7. Jones, ibid., p. 42. 8. Jones, ibid., p. 16. Steven H. Goldberg, Cosgrove, Eisenberg & Kiley, P.C.,One International Place, Suite 1820 Boston, MA 02110 , 617.439.7775 • Fax 617.330.8774 E-mail shg@tiac.net
|
