Legal Issues Concerning the Year 2000 "Millenium Bug"
by Jeff Jinnett*
A serious computer problem, variously known as the "Year 2000", "Y2K", "Century Date Change" or "Millennium Bug" problem, faces many companies. Although computer experts have done much to promote awareness of some of the technical issues surrounding the Year 2000 problem, little has been published concerning the related legal issues. This article is intended to provide a summary discussion of some of the major legal issues which may arise due to the Year 2000 problem and is written with non-lawyers as well as lawyers in mind.
Copyright © 1996 by Jeff Jinnett.
* Jeff Jinnett is Of Counsel to the law firm of LeBoeuf, Lamb, Greene & MacRae, L.L.P., practicing in the area of computer law. He also serves as President of LeBoeuf Computing Technologies, Inc., a wholly-owned business subsidiary of LLG&M, which is engaged, among other things, in conducting software audits for clients. His e-mail addresses are email@example.com and firstname.lastname@example.org .
The Year 2000 problem arises because most business application software programs (mainframe, client/server and personal computer) written over the past twenty years use only two digits to specify the year, rather than four. Therefore, on January 1, 2000, unless the software is corrected, most computers with time-sensitive software programs will recognize the year as "00" and may assume that the year is "1900". This could either force the computer to shut down or lead to incorrect calculations. Two digits were used by programmers in the past instead of four digits to designate the year to save (then-expensive) memory during processing.
As an example of the type of incorrect calculation which can be produced due to this problem, when a computer sorts dates by year, "00" (for the year 2000) could be identified as an earlier date than "99" (for the year 1999). A financial spreadsheet or projection therefore might show the financial trend for the 1999-2000 period running backwards rather than forwards. Insurance company computers might report a policy running through the year 2001 as having instead expired in 1901. A non-compliant bank computer calculating interest for a financial instrument for the six year period of 1995 through the year 2000 might instead calculate the interest for the period of 1900 through 1995, for a ninety-six year period instead of a six year period.
Year 2000 Problem Corrective Costs in the Billions
Gartner Group, Inc., an information technology research firm, has estimated that it will cost between $300 billion to $600 billion to correct the Year 2000 problem worldwide. 1 The software corrective work frequently is very time-consuming, requiring considerable programming effort to examine millions of lines of source code (software code readable by a human programmer) in order to locate the six digit date fields and correct them.
For example, The Prudential Insurance Company of America reportedly expects to correct approximately 125 million lines of code at a cost of approximately $150 million. 2 Although the costs of corrective action vary from company to company, it is not unusual to find reports of approximately $1.10 per line of source code to correct the date field problem. 3
Modification of Existing Computer System Versus Migration to New Systems
In some cases, a company may have to make the initial decision as to whether to (a) modify its existing hardware/software system, or (b) migrate to new hardware/software platforms or architectures. It has been said that behind every crisis lies an opportunity. As an example of this, a company with an aging mainframe system may decide to migrate to a decentralized client/server system with local area networks and wide area networks. Alternatively, a company with an existing client/server environment may decide to create an "intranet" where its computers communicate with each other using the standards and protocols of the World Wide Web, the graphical portion of the Internet. For a company with an existing Internet site, the creation of an "intranet" or "private corporate web" would serve to add scalability to the company from its "intranet" through to its Internet site.
In making the above cost-benefit analysis, the company may wish to take into account the accounting and tax treatment of the possible alternative plans. It should be noted that The Emerging Issues Task Force ("EITF") of the Financial Accounting Standards Board ("FASB") decided on July 18, 1996 that companies in the process of implementing a Year 2000 corrective plan should currently deduct the cost of software corrective modifications rather than capitalizing it. The EITF minutes reportedly did not address purchases of new software to replace existing non-compliant software. 4
No "Silver Bullet" Solution
Given the multitude of computer programming languages in use and the variety of business uses for date fields, computer experts have advised that no single "silver bullet" exists to correct the Year 2000 problem.5 In fact, over 40 vendors currently market in excess of 100 software tools to correct the Year 2000 problem (see, e.g., the URL of "http://www.mstnet.com/year2000/yr2000.htm" for information about The Year 2000 Resource Book published by Management Support Technology, which profiles most of these vendors and their products).
Although it appears that any company can become Year 2000 compliant if it starts corrective action soon enough and devotes sufficient resources to the effort, Year 2000 experts recommend that corrective action begin as soon as possible and not be delayed until there may not be enough time left to complete the requisite reprogramming and testing. Companies may face unexpected technical delays, as where they discover that portions of their old "legacy" mainframe software have no source code documentation and the original programmers have died, retired or are otherwise no longer accessible. Companies may also face delays due to legal difficulties, as discussed in more detail below.
Many Companies Will Not Become Year 2000 Compliant in Time
According to a recent study by Olsten Corp., nearly one in six North American senior executives surveyed were unaware of the Year 2000 problem.6 Gartner Group, Inc. has estimated (with a probability of 0.7) that approximately 50% of the companies with this software problem may not become Year 2000 compliant in time and will have all or part of their computer systems shut down (or start producing incorrect data) on or after January 1, 2000.7 Major software vendors such as IBM are in the process of issuing Year 2000 upgrades to existing software products (see, e.g., the URL of "http://www.software.ibm.com/year2000/perspect.html"). For major companies with heavily customized software systems, however, much of the corrective work will have to be done by the companies themselves.
Software Inventory/Data Processing Flow Chart
The first step a company should take to become Year 2000 compliant is to prepare an inventory of the hardware and software being utilized in its business. Although the Year 2000 problem is primarily a mainframe software problem, it can also exist in computer hardware (e.g,. clocks in the BIOS code located on the PC (ROM) chips), in client/server environments and in PC software. In addition to utilizing scanning software (which searches a networked system to locate and identify software packages on the system), the company should prepare a data processing flow chart with supporting documentation showing specific processing steps being performed by the company's computer system in order to accomplish the required business functions (see Diagram "A", at the end of this article).
All software programs known to be owned or licensed by the company should then be identified to the flow chart in order to determine if any processing steps are revealed which have no software programs identified to them, thus revealing previously unknown, undocumented software in use (see Form "1", at the end of this article). In some cases, undocumented software can enter a computer system if staff computer technicians use third party applications, tools and utilities to solve pressing processing problems and neglect to notify higher management that new software has been inserted into the system.
Some companies reportedly are foregoing the inventory step, proceeding directly to corrective Year 2000 work on their computer systems. In the final testing phase, however, this may result in the computer system refusing to test as Year 2000 compliant due to undocumented software applications, tools or utilities which have not been fully corrected. As noted below, moreover, a failure to conduct the initial inventory phase in conjunction with a legal audit may lead to problems in preserving the company's legal rights against software vendors.
Once all software packages are identified, the company's general counsel and/or outside counsel should locate and review the license agreements and long-term maintenance agreements relating to all third party licensed software. The company will then be able to identify the appropriate vendor to contact in order to request information as to the availability of Year 2000 software upgrades. (See also Year 2000 upgrade informational sources such as the URL of "http://www.auditserve.com/yr2000/yr2ktrk.html").
It has been reported in the press that companies have begun sending letters to all of their software vendors requesting information as to when their software will become Year 2000 compliant.8 In some instances the software licensed has undergone a product name change during the years, or the owner/licensor of the software has changed its name or been the subject of an acquisition. In that case, a search of various computer databases such as Lexis®-Nexis® 9 may be necessary in order to determine the correct current vendor and product name.
Potential Obligation of Maintenance Vendors to Fix Year 2000 Problems
A further purpose is served by locating the relevant license agreements and maintenance agreements for all third party licensed software. If the third party license agreement is accompanied by a long-term maintenance agreement surviving past January 1, 2000, the vendor may have an obligation to make its software Year 2000 compliant at the vendor's expense. Counsel will need to review the relevant license and maintenance agreements in this regard, but until recently, many such agreements were silent as to the Year 2000 problem.
Some vendors may disclaim liability for providing Year 2000 upgrades at no additional cost under the maintenance agreements, arguing that the Year 2000 problem was well-known in the computer industry and constitutes an "assumed risk" of the customer. The failure to at least request a vendor in writing to make its software Year 2000 compliant at its own cost under the long-term maintenance agreement may constitute a waiver by the customer of its right later to seek reimbursement for the costs it incurs in making the changes itself. It would also, in that event, deprive the customer's insurer of subrogation rights against the vendor.
Potential Obligation of Outsourcing Vendors to Fix Year 2000 Problems
Companies should also review all their data processing outsourcing agreements in order to determine if the outsourcing vendors may have an obligation to undertake the Year 2000 compliance work at their cost. It has been suggested that key provisions in the typical outsourcing agreement which may be relevant to this analysis are the sections dealing with the scope of facilities management and the size of anticipated workload.10
Company counsel should also examine any provisions in the outsourcing agreement whereby the outsourcing vendor agrees as part of its fixed fee to cure any "defects", "bugs" or "viruses" found within the software programs used in processing the company's data. The "Millennium Bug" might not technically be viewed to be a virus, since a virus is typically understood to be a software program that can "infect" other programs by modifying them to include a version, possibly evolved, of itself.11 The Year 2000 problem might, however, be viewed to constitute a "defect" or "bug" within the program, which interferes with the program's intended operation.
The obligation for an outsourcing vendor to cure software defects in the system sometimes is found in a systems software maintenance provision in the data processing outsourcing agreement. A typical provision of that type might read essentially as follows:
- "Systems Software Maintenance. As part of the Base Services, Vendor shall provide Customer with Systems Software maintenance and Systems Software production support services as described in Exhibit ___, including but not limited to (1) preventive and corrective maintenance to correct defects and failures in the Systems Software and any third party systems software, (2) installing, testing and maintaining upgrades to the Systems Software and any third party systems software and (3) changes, enhancements and replacements of the Systems Software or additional Systems Software, as Vendor deems necessary, in order to perform the Services in accordance with the Performance Standards."
As in the case of long term maintenance providers, outsourcing vendors may strongly resist the suggestion that year 2000 corrective costs be absorbed as part of their fixed fee. Companies in this situation still may decide to make the demand of their outsourcing vendor in writing rather than waive it. The company then would proceed to correct the Year 2000 problem at its expense while expressly preserving its right at a later date to seek reimbursement of its costs from the outsourcing vendor.
Some software vendors may abandon hardware and/or software products rather than incur the cost of creating Year 2000 upgrades. Hardware vendors may also decide to abandon products in order to kill off a second-user market and force customers to upgrade to more expensive equipment. A careful review of the relevant agreements with the vendor will then be necessary in order to determine the vendor's legal ability to force such a product switch.
Contaminated Third Party Data
A company's computer system, even if Year 2000 compliant, may fail to process, produce error messages or generate incorrect data if the company receives contaminated programs and/or data from third party suppliers which are not Year 2000 compliant. In this respect, the Year 2000 "Millennium Bug", even though not created with malicious intent and possibly not technically constituting a "virus", may still be thought of as acting in the manner of a "virus" that can re-infect a computer system even after it has been made Year 2000 compliant.
A complete data processing flow chart of the company's computer systems would help to resolve this difficulty by identifying where third party software programs and/or data is input and processed. Companies which are vulnerable to non-Year 2000 compliant software or data from outside suppliers should (a) contact their suppliers at an early date in order to determine their suppliers' Year 2000 compliance plans and (b) monitor their suppliers' progress in actually becoming Year 2000 compliant. Company counsel should also analyze what legal recourse may be available in the form of indemnification provisions and similar provisions in the company's contracts with the suppliers which could serve to protect the company in the event the suppliers do not become Year 2000 compliant in time.
GENERAL CONTRACT ISSUES
Year 2000 Compliance Warranties
Various companies and governmental agencies have reportedly revised their standard contract forms to require that any new software proposed to be sold or licensed to them be Year 2000 compliant.12 The following are a few sources for examples of Year 2000 compliance warranty language: (a) GSA Year 2000 contract language presented to the Year 2000 Interagency Committee, at the URL of "http://www.itpolicy.gsa.gov/library/yr2000/y209rfp1.htm"; (b) "Year 2000 Warranty", located at the URL of "http://www.year2000.com/archive/warranty.html"; (c) Michael Krieger, "Drafting Tip: The Threat of 2000: Calendar Clause Protection", in the May, 1996 issue of Cyberspace Lawyer, Vol. 1, No.2; (d) National Institute of Standards and Technology, Department of Commerce: FIPS PUB 4-1, "Representation for Calendar Date and Ordinal Date For Information Interchange", located at the URL of "http://www.nist.gov/itl/div879/yr2000.htm"; (e) APT Data Services, "Pain or Gain in the Year 2000?", Computer Business Review, March 1, 1996, No. 36, vol. 4; and (f) "Draft Year 2000 Sample Procurement Specifications" at the URL of "http://188.8.131.52/horizon/year2000/drftspec.htm".
It should be noted that the vendor should be required to both "represent" and "warrant" as to its product being Year 2000 compliant so that the customer is legally entitled to both equitable remedies (such as rescission of the contract) for a breach of the "representation" and remedies at law (such as money damages) for breach of the "warranty".
"Millennium Bug" as an Event of "Force Majeure"
Many contracts contain a "force majeure" clause which protects a contract party from a claim of default when it fails to perform due to an Act of God or other event beyond the party's reasonable control. It is unlikely that the Year 2000 problem would be viewed as an Act of God, since it is a known problem, which can be corrected with enough planning and resources. However, depending on the particular language used in each force majeure clause and the facts and circumstances surrounding the failure to perform, the Year 2000 problem may be claimed to constitute an event of "force majeure" in some contract disputes. Some companies may wish to alter their standard force majeure language to rule out the Year 2000 problem specifically.
Software License/Copyright Restrictions
As the time remaining for corrective work becomes short, some companies may decide to simply provide an off-line copy of all of their computer applications, tools and utilities to a Year 2000 service provider. The service provider would then load the software onto its computer system in order to perform the Year 2000 corrective work. One legal issue which should be kept in mind is that many software licenses contain confidentiality restrictions barring the licensee from disclosing, or providing a copy of, the software to any third party without the consent of the licensor.
Even if the service provider were to copy the company's software onto an off-line computer system at the licensee's premises, the vendor may argue that the creation of this maintenance copy, despite its retention on the licensee's premises, constitutes a breach of the license agreement and an infringement of the vendor's copyright in the software program.
Further, if the Year 2000 service provider were to decompile, disassemble or otherwise reverse engineer a software application where it had been given only an "object code" version of the software (i.e., software in a format readable only by the computer and not by a human programmer), this would also violate a related software license agreement which prohibited such reverse engineering. Although Section 117 of the U.S. Copyright Act arguably permits the purchaser of a copy of software to modify the copy in order to be able to correct the Year 2000 problem, a licensee of software who is prohibited from modifying the licensed software would be expected to honor the license restrictions.13 The licensee in that instance would normally contact the vendor for a Year 2000 upgrade or modification or obtain the vendor's consent to make the modification itself.
In addition, some maintenance agreements provide that warranties as to system performance automatically become void if any party other than the software maintenance vendor modifies the system. Care should be taken to avoid this result, where possible.
A difficult legal issue arises if the licensor indicates that it will issue a Year 2000 upgrade in mid-1999 and the "object code only" licensee doubts that the licensor will meet even that late deadline. It is conceivable that in cases where the licensee cannot replace the defective software, the licensee may decide to reverse engineer the software in order to obtain access to source code and modify it, taking the risk of a breach of license agreement lawsuit from the vendor, rather than the risk of not receiving a Year 2000 upgrade in time. In such a case, the licensee's breach of the agreement might appear less egregious if the licensee made the modifications itself, rather than have an unaffiliated third party service provider make the modifications.
In light of the above issues, service providers offering Year 2000 corrective services may attempt to provide their services on an "as is" basis and may require indemnifications from their customers against third party licensor suits for infringement.
Export Restrictions on Encryption Software
Companies may decide to retain the services of an overseas Year 2000 service provider, such as a programming facility in India, the Philippines or South Africa, in order to obtain the services of less expensive programmers. Also, programmers experienced in COBOL ("COmmon Business Oriented Language") and other relevant programming languages may become scarce in the next few years as their services are booked up for Year 2000 corrective work by individual companies and Year 2000 service providers. Companies starting their Year 2000 corrective work late may be forced to retain programmers outside the U.S. in order to gain access to the quantity of personnel needed.
In that event, the company should be careful to examine any cryptographic software applications in its software system portfolio prior to export. Encrypted applications might include wire transfer systems, communications systems or any other software application where the processed data is encrypted to make it secure. (For additional information on cryptography and encryption software, see "RSA's Frequently Asked Questions About Today's Cryptography", at the URL of "http://www.rsa.com/PUBS/labs_faq.pdf").
Under the Arms Export Control Act, certain encryption software is listed on a U.S. Munitions List and is prohibited from being exported. The prohibition is enforced by the Office of Defense Trade Controls ("DTC") in the U.S. Department of State pursuant to its International Traffic in Arms Regulations ("ITAR"). Under certain circumstances, the DTC may decide pursuant to a "commodity jurisdiction" procedure that the software proposed to be exported has both a commercial and military potential use and is governed by the less restrictive Export Administration Regulations ("EAR"). The exporting company then may apply for a license to export the encryption software from the U.S. Department of Commerce. If jurisdiction remains with the State Department, however, the export request might also have to be reviewed and approved by the National Security Agency.
Due Diligence on Acquisitions
In connection with all due diligence investigations of target companies, the acquiring company should investigate the target company's Year 2000 compliance status. Some companies may decide to sell divisions or subsidiaries before the Year 2000, because it would cost more to make the division or subsidiary Year 2000 compliant than its net revenues justified. The acquiring company should make this same analysis and either reserve the right to adjust the purchase price to reflect this Year 2000 compliance cost or reserve the right to "walk" in the event the acquiring company's post-due diligence estimate of the Year 2000 compliance cost exceeds a pre-agreed minimum.
The Wall Street Journal, in an article entitled "The Year 2000 and the CEOs' Big Secret",14 recently reported that companies with significant Year 2000 problems were reluctant to talk about the magnitude of their Year 2000 corrective work, for fear of providing damaging information to future plaintiffs in the event the Year 2000 problems were not corrected in time. As is discussed in more detail below, companies may not be able to safely hide their Year 2000 problems, because disclosure may be required under various accounting standards, securities laws and bank examination policies.
Accounting Standards Which May Mandate Disclosure
The guiding principles for the preparation by a company of its financial statements are "generally accepted accounting principles" ("GAAP"). These standards are promulgated by FASB and the American Institute of Certified Public Accountants ("AICPA"). One of the GAAP principles promulgated by FASB is Statement of Financial Accounting Standards No. 5 ("SFAS 5") ("Accounting for Contingencies"), which provides that contingencies which are reasonably possible, whether or not the amount can be calculated or estimated, must be disclosed in a note to the financial statements.
Statement of Financial Auditing Standards
SFAS 5 defines a "contingency" as an existing condition, situation, or set of circumstances involving uncertainty as to possible gain or loss to an enterprise that will ultimately be resolved when one or more future events occur or fail to occur. SFAS 5 uses three classifications:
(A) Probablethe future contingent event is likely to occur.
(B) Remotethere is only a slight chance that the future event will occur.
(C) Reasonably possiblethe chance of the event occurring is more than remote, but less than probable.
SFAS 5 gives as an example of a "loss contingency" the "risk of loss or damage to enterprise property by fire, explosion or other hazards", which definition arguably could include the crippling of an enterprise's computer system by the "Millennium Bug". If it is reasonably possible that the company will not become Year 2000 compliant in time, SFAS 5 appears to require the company to disclose this fact in a note to the audited financials.
Moreover, if (a) it is "probable" that the company will not become Year 2000 compliant in time, (b) an asset has been impaired or a liability incurred as of the date of the financial statements, and (c) the amount of the loss can be reasonably estimated, then a charge against earnings for the estimated loss may be required under SFAS 5 and the liability would be reported in the body of the financial statements.
Statements on Auditing Standards
At some time prior to January 1, 2000, a company's independent public accountants ("auditors") may feel obliged in their audit of the company's financial statements to examine the likelihood of the company's failing to become Year 2000 compliant in time. Auditors may wish to document their assessment of the Year 2000 disclosures by their clients in order to show compliance with applicable Statements on Auditing Standards ("SAS"), promulgated pursuant to the AICPA's Generally Accepted Auditing Standards ("GAAS"), the guiding standards for the audit of financial statements. SAS No. 53 ("The Auditor's Responsibilities to Detect and Report Errors and Irregularities") imposes on auditors the duty to plan each audit to provide reasonable assurance of detecting "errors", defined as unintentional misstatements and omissions, and "irregularities", defined as intentionally false or misleading statements, that reach a "financial statement" level of materiality. SAS No. 59 ("The Auditor's Consideration of an Entity's Ability to Continue as a Going Concern"), which relates to a company's ability to remain a going concern for a "reasonable period" not to exceed one year, may also force the auditor (commencing in 1999) to consider the effect on the company of a failure to become Year 2000 compliant.
The auditors therefore may be obligated, in order to demonstrate compliance with SAS Nos. 53 and 59, to review the company's Year 2000 compliance plan and the status of its implementation. Other Statements of Auditing Standards, such as SAS No. 54 ("Illegal Acts By Clients"), may also raise significant issues with respect to the impact of a failure to become Year 2000 compliant on a company's financial reporting.
Pressure to Disclose Due to Potential Securities Law Liability of Auditors
An auditor is considered to be an "expert" under Section 11(b) of the Securities Act of 1933 ("1933 Act") for purposes of the financial statements reported on by the auditor and included, together with the auditor's opinion, as the "expertised" portion of the issuer's registration statement in connection with the sale of securities. As is discussed in more detail below, auditors have securities law liability for material misstatements or omissions in the company's financial statements.
In particular, auditors are held to a higher obligation to exercise "due diligence" with respect to their portion of the registration statement than non-experts, such as the issuer and the underwriter, are held to with respect to the entire registration statement. With respect to the "expertised" financial statement portion of the registration statement, the issuer and underwriter are not required to have made an investigation but must establish that they had no reasonable grounds to believe and did not believe that there was a material misrepresentation or omission in the "expertised" financial statement portion.
As a result of the auditors' higher "due diligence" obligation (and in light of the potentially disastrous impact on a company's business operations if it failed to become Year 2000 compliant in time), auditors are likely to become more cautious in the next few years in dealing with a company's Year 2000 compliance problem in the course of auditing the company's financial statements.
Disclosure in Auditors' Opinions
In a standard unqualified opinion, the auditors would typically state, among other things, that (1) the financial statements are the responsibility of the company's management, (2) the auditors' responsibility is to express an opinion on these financial statements based on their audit, which audit was conducted in accordance with GAAS, (3) GAAS requires the auditors to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, and (4) in the auditors' opinion, the financial statements present fairly, in all material respects, the financial position of the company as of a particular date, and the results of its operations and its cash flows for the year then ended in conformity with GAAP.
If a note were added to the company's financial statements concerning the Year 2000 problem and the auditors were to decide that a departure from the standard unqualified opinion is required due to uncertainty concerning the company's Year 2000 problem, the auditors might add an additional explanatory paragraph to their standard unqualified opinion reading something like the following:
- "As discussed in Note to the financial statements, a material portion of the Company's hardware and software computer system used in the conduct of its operations requires correction with respect to the so-called "Year 2000" problem, as is more fully described in Note ___. The Company has adopted a Year 2000 corrective plan and is in the process of implementing that corrective plan. The ultimate success or failure of the corrective plan and the extent of such success or failure cannot presently be determined. Accordingly, no provision for any liability that may result from the failure of the Company to implement fully its Year 2000 corrective plan has been made in the accompanying financial statements."
If the financial statements were to fail to include a note with respect to the Year 2000 problem and the potential liability arising with respect to the problem, despite the auditors' recommendation to the company that such a note be added, the auditors may decide to issue a qualified opinion which states that the financial statements present fairly, in all material respects, the financial position of the company, "with the exception of" the effects of the Year 2000 matter, as described in an explanatory paragraph preceding the opinion paragraph of the report.15
Securities Laws Which May Mandate Disclosure
Public companies are required to file an annual report on Form 10-K and quarterly reports on Form 10-Q with the U.S. Securities and Exchange Commission ("SEC"). Pursuant to Reg. S-K, Item 303, each such annual report and quarterly report must include a section entitled "Management's Discussion and Analysis of Financial Condition and Results of Operations" ("MD&A"). Instruction 3 to Item 303(a) provides that:
- "The discussion and analysis shall focus specifically on material events and uncertainties known to management that would cause reported financial information not to be necessarily indicative of future operating results or of future financial condition. This would include descriptions and amounts of (A) matters that would have an impact on future operations and have not had an impact in the past, and (B) matters that have had an impact on reported operations and are not expected to have an impact upon future operations."
As of the date of publication of this article, the SEC has not issued a formal statement concerning the Year 2000 problem. It is likely, however, that the SEC would take the position that any public company which knew that it was reasonably likely that it would not become Year 2000 compliant in time, with a resulting material effect on its business, is required to disclose this event and uncertainty in the MD&A section of its annual report and quarterly reports.16
Illustrative of this is the SEC's Securities Act Release No. 6385, implemented in Financial Reporting Release No. 36 (May 18, 1989), which provides that a disclosure duty exists when "a[n]... uncertainty is both presently known to management and reasonably likely to have material effects on the registrant's financial condition or results of operations." Essentially, disclosure would be required in the MD&A unless management decided that "a material effect on the registrant's financial condition or results of operations is not reasonably likely to occur."
Potential Liability of Officers and Directors of a Public Company Which Fails to Disclose a Year 2000 Problem and Then Fails to Become Year 2000 Compliant in Time
As noted above, under certain circumstances, a public company would be required to disclose its Year 2000 problem in the MD&A section of its annual report, quarterly reports and in the company's financial statements. If the company were to fail to disclose a Year 2000 problem when required to do so, the securities law consequences could be significant.
The annual report is often incorporated by reference into a company's registration statement pursuant to the SEC's "Integrated Disclosure System", for purposes of registering stock for issuance to the public. Section 6(a) of the 1933 Act requires that every registration statement (which includes the prospectus) be signed by the issuing corporation's principal executive officers and financial officers, its principal accounting officer and a majority of the board of directors.
Section 11(a) of the 1933 Act makes every signatory to the registration statement (and every director of the issuer, whether a signatory or not) liable for material misstatements and omissions to any person who acquires securities issued under it. Underwriters, auditors and lawyers involved in the issuer's stock offering may also be held liable under Section 11. Evidence of "due diligence", however, can provide a defense against a Section 11 action. (See, e.g., Rule 176 ("Reasonable Investigation and Reasonable Grounds for Belief Under Section 11"), promulgated by the SEC under Securities Act Release No. 6335).
Further, under Section 12(2) of the 1933 Act, an issuer may be held liable to a shareholder in a private action for any untrue statement in a prospectus of a material fact or failure to state a material fact necessary to make the statements made in the prospectus not misleading. Section 12(2) applies to any public offer or sale of a security (whether registered or not) "by means of a prospectus or oral communication". The issuer is afforded a "due diligence" defense if it "did not know, and in the exercise of reasonable care could not have known" of the falsity.
In addition, Section 10(b) of the Securities Exchange Act of 1934 ("Exchange Act"), as interpreted by Rule 10b-5 of the SEC, essentially makes it unlawful for any person (which may include the issuer, underwriter, auditors and attorneys) to sell any security in interstate commerce while employing a "manipulative or deceptive device", which term includes making any untrue statement or omitting any statement of a material fact.
A private action by a purchaser under Section 10(b) and Rule 10b-5 must allege a material and false representation or omission by the issuer in connection with the purchase and sale of securities, the use of means and instrumentalities of interstate commerce, scienter (intent to deceive, manipulate or defraud, or in certain cases, recklessness), reliance by plaintiff and damages suffered by plaintiff. A private action under Section 11 of the 1933 Act need not allege intent to deceive.
The SEC itself may institute enforcement actions with respect to registration statements which contain material and false representations or omissions under Section 17(a) of the 1933 Act (which covers any fraudulent scheme in an offer or sale of securities, whether in the course of an initial distribution or in the course of ordinary market trading) and under Rule 10b-5 under the Exchange Act. Section 24 of the 1933 Act provides for criminal penalties for securities law violations.
Purchasers of securities may also avail themselves of the protection afforded by the disclosure and liability provisions of the securities laws ("Blue Sky" laws) enacted by the various states.
Standards of Care of a Director
The laws of the state of a company's incorporation typically impose standards of care on the company's directors, which could be breached if the directors are grossly negligent in dealing with the Year 2000 problem, resulting in potential personal liability for the directors. The Model Business Corporation Act (Section 8.30(a)), adopted by some of the states, defines the director's duty of care as the duty to act in good faith with the care an ordinarily prudent person in a like position would exercise under similar circumstances and in a manner the director reasonably believes to be in the best interests of the company.
Some states, like Delaware, have not codified the duty of care, but Delaware courts have held that directors should act with the care of an ordinary prudent person.17 Some state due care codifications add a requirement that the director use "reasonable inquiry". Section 309(a) of the California Corporation Code sets forth an example of such a provision, providing that:
- "A director shall perform the duties of a director, including duties as a member of any committee of the board upon which the director may serve, in good faith, in a manner such director believes to be in the best interests of the corporation and its shareholders and with such care, including reasonable inquiry, as an ordinarily prudent person in a like position would use under similar circumstances."
If a public company fails to adequately disclose its Year 2000 problem in its annual report on Form 10-K, quarterly reports on Form 10-Q and in its registration statements and subsequently has to substantially curtail or shut down its business on or after January 1, 2000 due to the problem, produces incorrect data commencing on that date, or otherwise experiences substantial operational difficulties, resulting in damage to its business, the company's stock price is likely to drop. Shareholder suits based on one or more of the above federal and/or state securities laws are likely to follow. Civil and/or criminal enforcement action by federal and/or state securities authorities might also occur.
In addition, irrespective of whether adequate disclosure of the Year 2000 problem was made or not, in the event a public or private company fails to become Year 2000 compliant in time, the shareholders may institute individual suits, or derivative suits in the name of the company, against the directors alleging breach of their duty of care under state law.
Documentation of Year 2000 Compliance Program to Establish Due
Diligence Defense and Protection Under the Business Judgment Rule
Directors are permitted to rely on the reports of the company's officers, counsel and third party experts in the course of making corporate decisions. In the event a company's board of directors adopted a Year 2000 corrective plan, but the company unexpectedly failed to become Year 2000 compliant in time and the directors were sued by the company's shareholders, the directors would likely find it useful to be able to produce detailed documentation as to the company's Year 2000 corrective plan and the diligence with which it was pursued.
The "Business Judgment Rule" essentially protects directors from court review and liability for an honest mistake of business judgment, so long as the challenged board decision was intended to serve the business purposes of the corporation and did not involve fraud, illegality or conflict of interest. The exact formulation of the Business Judgment Rule varies from state to state and some courts require the directors to show that they performed appropriate "due diligence" in informing themselves of the merits of the business issue before reaching a decision.
As an example of a codification of the Business Judgment Rule, Section 141(e) of the Delaware General Corporation Law provides that:
- "A member of the board of directors, or a member of any committee designated by the board of directors, shall, in the performance of his duties, be fully protected in relying in good faith upon the records of the corporation and upon such information, opinions, reports or statements presented to the corporation by any of the corporation's officers or employees, or committees of the board of directors, or by any other person as to matters the member reasonably believes are within such other person's professional or expert competence and who has been selected with reasonable care by or on behalf of the corporation."
In some states, such as Delaware, director liability for breach of the duty of care, under the Business Judgment Rule, has been held by courts to require a showing that the directors acted with gross negligence.18 However, the Business Judgment Rule has been held by some courts not to apply to protect the directors where they abdicated their functions and failed to act. In that instance, the directors could be held liable against a showing of simple negligence.19
Thus, in order to avail themselves of the protection of the Business Judgment Rule to deflect shareholder suits seeking court review of the company's adoption and implementation of its Year 2000 corrective plan, the directors may need to show that they had consulted with Year 2000 experts and responsible corporate officials in a timely manner prior to adopting the corporation's Year 2000 corrective plan. This documentation also could serve to establish a "due diligence" defense in the event the directors become the subject of a lawsuit under Sections 11 or 12(2) of the 1933 Act or Section 10(b) of the Exchange Act and Rule 10b-5.
Statutory Limitations on Liability, Corporate Indemnification and D & O Insurance Coverage
Under the corporation laws of some states, such as Delaware, companies (1) are permitted (with the approval of their shareholders) to limit or eliminate their directors' (and in some instances officers') monetary liability for breaches of their fiduciary duties, and (2) may indemnify their directors against expenses, judgments, fines and settlement payments in third-party actions and derivative actions, provided the directors acted in good faith and in a manner they reasonably believed to be in the best interests of the company.20
However, although many state laws permit companies to adopt the above limitation of liability and liberal indemnification policies, not all companies have adopted such limitation of liability and indemnification policies and incorporated them into their charter documents. Some corporations also have no D & O liability insurance or have policies with low policy limits.
Since the potential liability of officers and directors of a company which fails to become Year 2000 compliant in time could be considerable, company counsel should review with the company's directors and officers the company's D & O insurance policies, limitation of liability provisions and indemnification provisions so that they may be revised and updated appropriately. Officers and directors who have received personal indemnification agreements from their companies may wish to have their personal counsel re-review the agreements with the Year 2000 problem in mind.
Disclosure Due to Bank Examinations
Regulated banks with significant loan portfolios are likely to be reviewing their exposure to major debtors that have serious Year 2000 compliance problems.21 This is in part because bank examiners are likely to be reviewing loan portfolios of banks in the next few years to determine if adequate allowances have been made for possible loan defaults due to Year 2000 compliance problems. (See, e.g., the Federal Financial Institutions Examination Council ("FFIEC") Interagency Policy Statement on the Allowance for Loan and Lease Losses ("ALLL")).
For companies with major lines of credit or bank loans outstanding, the Year 2000 compliance problem, if not handled correctly, may seriously cripple the company's finances even prior to the Year 2000. For example, if a company's line of credit is callable in the event the auditor's letter is qualified in any respect, the delivery of an audit letter in 1999 which is qualified as to the Year 2000 compliance issue might trigger a loss of the bank line of credit at the very time when funds are needed to finish the Year 2000 corrective work.
STATUTORY/REGULATORY COMPLIANCE MANDATES
At the present time, it does not appear that the federal government has enacted any statutes or promulgated any regulations requiring any private sector companies to become Year 2000 compliant as a matter of law. However, bills have been introduced recently in both the U.S. House of Representatives (H.R. 3230) and the U.S. Senate (S. 1745) authorizing appropriations for the Department of Defense ("DOD"), including a mandate on the Secretary of Defense to ensure that all "information technology" acquired and used by the DOD be Year 2000 compliant.
The Office of the Comptroller of the Currency ("OCC") has recognized that this computer problem could wreak havoc in the banking industry. On June 17, 1996, the OCC issued Advisory Letter 96-4 (jointly with the FFIEC) to the CEO's of all national banks, advising them that their banks should correct the Year 2000 problem by the end of 1998, leaving one full year for testing. (See the URL of "http:// www.occ.ustreas.gov/ftp/advisory/96-4att.txt").
The U.S. House of Representatives has also held extensive public hearings on the Year 2000 problem, since federal agencies make extensive use of mainframe computers and reportedly account for a significant percentage of the total corrective cost in the U.S. (See, e.g., the URL of "http://www.house.gov/science/hearing.htm #techmay" and "US Federal Government Year 2000 Survey" at the URL of "http://www.year2000.com/archive/survey.html").
It is possible, due to heightened public concern in the future, that federal and/or state mandates for companies in the private sector to become Year 2000 compliant may issue. If statutory or regulatory mandates are enacted, The Private Securities Litigation Reform Act of 1995 (Pub.L.104-67) may become of considerable importance to the disclosure issue. This act amends the Exchange Act by adding a new Section 10A (codified at 15 USCA §78j-1(a)), which requires auditors to include in their audits of public companies "procedures designed to provide reasonable assurance of detecting illegal acts that would have a direct and material effect on the determination of financial statement amounts." Section 10A (15 USCA §78j-1(f)) defines "illegal acts" as "an act or omission that violates any law, or any rule or regulation having the force of law".
Thus, if statutory or regulatory Year 2000 mandates are passed at any point in the future, the new Section 10A obligations will come fully into play. The auditors must inform management and the board of directors of the occurrence of an "illegal act" (whether or not it is perceived to have a material effect on the company). If after doing this, the auditors determine that timely and appropriate remedial action is not being taken by management with respect to the illegal act (i.e., complying with the statutory or regulatory Year 2000 compliance mandate) and the auditors reasonably expect the failure to take remedial action to result in the issuance of a non-standard audit report, or resignation from the audit engagement, the auditors must report the situation to the board of directors.
The board then must report the auditors' conclusions to the SEC within one business day thereafter. The auditors are immune from private action for the findings in their report to the board of directors, but are subject to SEC civil penalties if the report is not issued as required.
Business Interruption Insurance
Insurance policies which cover "business interruption" claims (such as property insurance policies) usually require that the business interruption result from a "fortuitous event". A "fortuitous" event has been interpreted by some courts, based on Restatement of Contracts §291, comment [a], to be "an event which so far as the parties to the contract are aware, is dependent on chance." It can be easily argued that since the Year 2000 problem has been well known for years and is totally within the control of the insured to correct, it does not qualify as a "fortuitous" event. Insurance carriers issuing business interruption insurance may decide to highlight the Year 2000 problem in an insert or letter to their insureds in the next year or two in order to be able to establish conclusively that their insureds were aware of the issue.
Directors & Officers Liability Insurance
If a public company were to fail to become Year 2000 compliant in time and shareholder suits against the directors and officers were to result, the company's D & O policy would become of critical importance. Generally, D & O policies will not make any payment, to cite some of the typical exclusions, for any loss arising from any claims made against any director or officer:
- (A) for any fines or penalties imposed in a criminal suit, action or proceeding;
(B) where the loss represents a personal profit or advantage illegally taken by the officer or director;
(C) where the loss was brought about by the fraudulent, dishonest or criminal acts of the director or officer, provided that the acts brought about or contributed to the claim adjudicated;
(D) for bodily injury, sickness, disease or death of any person, assault, battery, mental anguish, or emotional distress;
(E) for damage to or destruction or loss of use of tangible property; or
(F) for injury based on invasion of privacy, wrongful entry, eviction, false arrest, false imprisonment, malicious prosecution, libel or slander.
It therefore appears that so long as the insured company is making some effort to correct its Year 2000 problem, even if it is grossly negligent in the process, it still may be covered by its D & O insurance.
However, if a director or officer knew of a fact or circumstance which was likely to give rise to a claim (e.g., a material Year 2000 compliance problem) and failed to disclose or misrepresented the fact or circumstance in the application for D & O insurance, the insurance company may refuse to make payment for any loss arising from a claim against such officer or director.
Although D & O insurance is usually renewed every year, the renewal application usually requests little information and usually does not request any confirmation that no material change has occurred with respect to the representations of the company contained in the original D & O insurance application. Thus, unless a company is applying for D & O insurance for the first time or is switching insurers, its Year 2000 problem may not come up in the renewal process. In light of this, companies with significant Year 2000 problems and a short-form renewal application may hesitate to switch D & O insurers prior to the Year 2000.
Some D & O insurance renewal applications, however, do attempt to ascertain the insured's risk of potential loss, asking, for example, for information about material changes in the insured's financial statements or audit committee procedures. Accordingly, counsel for the insured should review the D & O insurance policy renewal application with the Year 2000 problem in mind to see if any disclosure is required.
COLLATERAL LITIGATION DAMAGE
There may be any number of instances in which the failure to become Year 2000 compliant can cause collateral litigation damage. As an example of how a company may be adversely affected in a collateral respect due to its failure to become Year 2000 compliant, consider the following hypothetical. Assume that the Federal Aviation Administration ("FAA") issues a regulation in 1998 mandating that all air carriers become Year 2000 compliant by December 31, 1999. A plane crashes in February of the year 2000 and the air carrier is sued.
At trial, plaintiff's counsel introduces into evidence the fact that certain parts in the plane were supposed to have been replaced pursuant to a pre-set maintenance schedule in January of 2000. The parts were not replaced, however, due to the failure of the carrier's maintenance computers to be made Year 2000 compliant, resulting in an incorrect calculation of each part's "time in service". Although it is unclear as to whether the parts involved were the proximate cause of the crash, the jury takes the new testimony as evidence of the carrier's reckless attitude toward safety, discounts the carrier's testimony as to lack of culpability with respect to the crash, gives the plaintiff the benefit of the doubt as to "proximate cause" and imposes punitive damages in addition to compensatory damages in order to "send a message".
Computer experts and chief information officers of corporations have long known of the Year 2000 problem from a technical point of view. As is evident from the above discussion, the legal issues surrounding the Year 2000 problem can be equally as thorny and merit serious attention. Failure to address the legal issues surrounding the Year 2000 problem can lead to (a) delays from third party vendor lawsuits, (b) loss of claims against vendors who otherwise might be required to pay for Year 2000 corrective costs, (c) legal liabilities for the company and (d) personal monetary liability for the company's officers and directors.
It is recommended, therefore, that any company facing a serious Year 2000 problem involve its general counsel and/or outside counsel, together with its CIO and Year 2000 experts, in the preparation, review and implementation of the company's Year 2000 corrective plan. The final Year 2000 corrective plan should be formally reviewed and approved by the company's key officers and its board of directors so as to lay the groundwork for the officers and directors to be able to establish a "due diligence" defense under securities laws and under the "Business Judgment Rule". Finally, the company's charter limitation of liability and indemnification provisions and D & O insurance policy should be reviewed and amended as appropriate.
New York, New York
August 21, 1996
Author's Note: This article is intended to provide general information and is not intended to provide legal advice regarding specific transactions or matters
(1) See "'Year 2000 Problem' Gains National Attention" at the URL of "http://www.gartner.com/aboutgg/pressrel/pry2000.html".
(2) See Roger Lowenstein, "The Year 2000 and the CEOs' Big Secret", The Wall Street Journal, July 25, 1996, at p. C1, col. 3.
(3) See Richard Nunno, "The Year 2000 Computer Challenge", June 7, 1996 (Science Policy Research Division); APT Data Services, "Counting the Cost of Year 2000", Computer Finance, March 1, 1996, No. 10, Vol. 6; see also "Year 2000 Cost Estimating", at the URL of "http://cfcse.ncr.disa.mil/jexhome/y2estm8r.html" .
(4) See Alison Bennett, "Expensing Computer Change to 4-Digit Years in 2000 is Appropriate, Practitioner Says", BNA Management Briefing, July 23, 1996; Steve Burkholder, "Switching Computers to Four-Digit Years in 2000 to be an Expense, Not Capitalized", Taxation, Budget and Accounting (BNA), July 19, 1996, No. 139, at p. G-3.
(5) See, e.g., Testimony of Barry Ingram, Chief Technology Officer and Vice President of Technical Services of EDS Government Services Group on May 14, 1996 before the U.S. House of Representatives Committee on Science, Subcommittee on Technology ("http://www.house.gov/science/barry_ingram.htm").
(6) See Edge Publishing, "Millennium Bug: Most Companies Preparing For Year 2000' Systems Issue", Edge: Work-Group Computing Report June 3, 1996.
(7) See Mark Evans, "The Profit Clock is Ticking on 2000 Countdown," The Financial Post, May 8, 1996, at p. 22; APT Data Services, "Counting the Cost of Year 2000", Computer Finance, March 1, 1996, No. 10, Vol. 6.
(8) See Paul Barker, "Consultant Warns IS: Economic Chaos Looms", Computing Canada, June 20, 1996.
(9) Lexis® and Nexis® are registered trademarks of Reed Elsevier Properties, Inc.
(10) See John Xenakis, "The Fin de Siecle Computer Virus", CFO, July 1995, Vol. 11, No. 7, p. 67.
(11) See Dr. F. Cohen, A Short Course on Computer Viruses (2d Ed.) (Wiley Professional Computing 1994) at p. 2.
(12) See, e.g., Thomas Hoffman and Julia King, "Small Vendors Pressed For Year 2000 Remedy", Computerworld, May 6, 1996, at p. 1.
(13) See, e.g., R. Nimmer, The Law of Computer Technology (Warren, Gorham & Lamont 1996) at p. 1-109. Record companies and book publishers typically sell copies of their records and books to the public. Some vendors similarly sell their software or multimedia works in diskette or CD-ROM form to their buying public. Most software today, however, is licensed to the customer, rather than sold, because it allows the vendor greater control of the use and further disposition of the software. For further information on the distinction between the sale and license of software, see, e.g., S. Fishman, Copyright Your Software (Nolo Press 1994) at p. 12/5-12/9.
(14) See footnote no. 2, above.
(15) See Terry Lloyd and Dan Goldwasser, "The Work of the Outside Accountant" in Practicing Law Institute, Accounting For Lawyers (1995) at p. 169.
(16) See Steve Hemmerick, "Year 2000 Problem Creates Expensive Race Against Time", Pensions & Investments, August 5, 1996, at p. 3.
(17) See E. Brodsky and M. Adamski, Law of Corporate Officers and Directors, (Clark Boardman Callaghan 1995), Section 2:04, at p. 2-11 and 2-12.
(18) Id., at Section 2:07, p. 2-29.
(19) Id., at Section 2:12, p. 2-51 through 2-56.
(20) Id., at Section 2:05, p. 2-16 through 2-24, Section 19:03, p. 19-4 through 19-17.
(21) See Grant Buckler, "Financial Sector Grapples With 2000 Bug", Newsbytes, July 11, 1996.
SOFTWARE APPLICATION DESCRIPTION
- SOFTWARE APPLICATION NAME:
- SOFTWARE ACRONYM:
- NUMBER ON DATA PROCESSING FLOW CHART:
- [FOR EXAMPLE, "NO. 62"]
- MAJOR BUSINESS FUNCTIONS:
- APPLICATION RECEIVES DATA FROM:
- [IDENTIFY SOFTWARE APPLICATIONS WHICH FEED DATA TO THE SUBJECT
- SOFTWARE APPLICATION-- FOR EXAMPLE, APPLICATION 63]
- PROCESSES DATA AND DISTRIBUTES IT TO FOLLOWING
- SOFTWARE APPLICATIONS FOR FURTHER PROCESSING:
- [IDENTIFY SOFTWARE APPLICATIONS-- FOR EXAMPLE, APPLICATIONS 59 AND 61]
- IS SOFTWARE APPLICATION OWNED: _____YES _____NO
- IF YES, IDENTIFY VENDOR AND IDENTIFY LICENSE AGREEMENT:
- IS SOURCE CODE AVAILABLE: ____YES _____NO
- IS APPLICATION THE SUBJECT OF A MAINTENANCE AGREEMENT: ____YES _____NO
- IF YES, IDENTIFY MAINTENANCE AGREEMENT:
Back to Main Menu