MILLENNIUM BUG - The law takes on the bug.

Dateline 4 January 2000 – the day when millions of workers return after their holiday excesses to turn on their computers and find out whether it will be business as usual or a digital doomsday of biblical proportions for our systems-dependent society. While for the majority of companies business will probably continue without major problems, the likelihood of a catastrophe cannot be discounted. But business disruption is just the tip of the iceberg. If problems do occur, many directors are asking: Who will pick up the pieces after the lights go out? And where does the buck stop in this nightmarish risk-management scenario? As a result, companies are scrambling to protect themselves from being sued by customers and business partners should a Y2K computer failure disrupt business. They have already added clauses to their standard terms and conditions, limiting or excluding them from liability for Y2K problems. The question is whether these clauses are enough to protect a business from legal claims from customers and partners if that business is unable to provide the usual goods or services because its IT systems have crashed. The answer from the lawyers is a confusing “yes and no”. Uncertainty arises because there is no specific Y2K legislation, and the only protection against liability comes from adapting existing legal remedies in the hope of covering what are, as yet, unknown consequences. In short, defences will depend on the wording of each individual contract. A company can take a variety of contractual defences to protect itself in the case of a Y2K failure. Of the options available, “express claims” – the fine-print clauses being added to standard terms and conditions contracts – are likely to provide the strongest legal defence. In theory, it is legally possible for a business to exclude or at least limit its Y2K liability with such clauses. Alistair Maughan, partner at law firm Shaw Pittman, explains this corporate defence: “As a business you would want to shield yourself from claims from customers, while still making claims against your systems suppliers. Most sensible companies, rather than leaving to chance what their Y2K liability – the great unknown – might be, are actually putting into place specific provisions into contracts saying: ‘This our liability, this is what we do and don’t accept.'” Unfortunately for these businesses, express claims are not necessarily an absolute defence against legal action. “My view on Y2K generally is that there will be a number of legal claims made to test the bounds of when a customer can sue, if, say, they can’t fly because the airline’s ticketing system is down, or if someone’s business fails because the bank’s computer refuses to extend an overdraft,” says Maughan. “These are interesting claims that would push the bounds of what you can do under current law, but it’s certainly possible there will be claims for that sort of loss coming out.” Businesses worried about liability can take heart from the fact that it is by no means certain that any Y2K claim will even make it to court. Whether or not a claim can be made may come down to the distinction between direct loss and indirect loss. Claims that can show direct loss are more likely to find a hearing in court than claims based on indirect loss, although Maughan’s general view is that arbitration is a more likely forum for technology-related disputes than the law courts anyway. “Typically, something is direct if it is reasonably foreseeable and it results from someone’s failure; then a claim can be made,” explains Maughan. “However, can you say that someone’s business going under because a bank’s computer refuses to extend them credit when it should is a reasonably foreseeable consequence? Or does it fall into the category of consequential loss? In the case of indirect loss, a claim could be made, but then it is up to the court to determine whether the claim is valid or not.” So, once again, interpretation of an individual claim by the courts will decide whether an action can be pursued. There are other difficulties for businesses hoping to use express claims to exclude liability. Consumers and business partners are protected by legislation – the Unfair Contract Terms Act – which says terms in a contract must be reasonable. So the question then becomes whether or not a business’s express claim excluding liability for Y2K problems is in fact reasonable in the eyes of the law. This is where the real legal nightmare begins. The company excluding liability will say it is being entirely reasonable, while the customer or business partner will argue the opposite. And what constitutes “reasonable” with respect to Y2K contracts has never been tested in UK courts. Sara Ellacott, a partner at law firm Nabarro Nathanson, confirms this problem. “The test of reasonableness is not set in stone anywhere,” she points out. “It’s very much an ad hoc development by the courts on a case-by-case basis. Cases will probably depend on the bargaining position of the parties that put the guidelines into use, whether you could have got the same service from another company, or whether (the clause) was brought to your attention. There’s a whole set of guidelines that come into play.” Reassuringly, Ellacott argues that it is not entirely unreasonable for a business to exclude Y2K liability with an express claim. “Companies will be relying on other suppliers,” she explains. “They will have asked their key suppliers if their systems are Y2K compliant. A number of the suppliers will not have given straight answers, so the company, as a consumer of those goods, is thinking: ‘Well, we’ve got no confirmation that all these things are Y2K compliant, so we have to tell our buyer that we cannot guarantee that everything is going to be OK.’ In a way it’s out of their control as well. They simply can’t make things compliant.” All the afflicted companies can do is hope that the judge sees it that way. In the US, more far-sighted legislators have passed a law – The Year 2000 Information and Readiness Disclosure Act – to indemnify businesses against lawsuits arising from the accuracy of Y2K statements that they make to each other, so only deliberately fraudulent statements in the US will incur legal action. As a result of this, UK companies that conduct business in the US could find some protection in the new American legislation, which was signed by President Clinton last October. The Year 2000 Information and Readiness Disclosure Act encourages information-sharing by granting limited protection from liability in relation to certain types of Year 2000 statements and disclosures. Shaw Pittman’s Alistair Maughan says that as companies everywhere strive to address the millennium bug, the US legislature has realised that it is vital for businesses to share Y2K information if the problem is to be solved within the deadline. “Virtually every business will have already received or sent questionnaires enquiring about the Y2K status of the business or its suppliers or customers. Many businesses, however, have been reluctant to share Y2K information for fear of being subjected to lawsuits based on the information they disclose. This fear of disclosure is holding up the process of solving the Y2K problem,” he says. The US Year 2000 Information and Readiness Disclosure Act is intended to reduce some of those litigation fears, by providing limited protection from liability which might otherwise stem from year 2000 statements. In broad terms, it says that a company making a qualifying statement about its Y2K position cannot be liable on that statement unless the claimant can prove that it is false, inaccurate or misleading, or was made with bad faith, fraud or recklessness. Thus, a company could not be sued solely because a particular Y2K statement ultimately turned out to be untrue, even if the claimant relied on the statement. “The act offers slightly different levels of protection to two different categories of disclosure,” says Maughan. “General statements about Y2K (which are defined in the act as ‘Year 2000 Statements’) gain the basic level protection. In addition there are some extra benefits from making more specific disclosures – which the act calls ‘Year 2000 Readiness Disclosures’. As a result, many US companies have subsequently drafted and published a Year 2000 Readiness Disclosure about their Y2K status to take advantage of the maximum protection offered by the act. However, Maughan warns that there are several exceptions and qualifications to the protection offered by the act. For example, it does not cover statements made in documents filed with the SEC or with US federal banking regulators pursuant to certain provisions of the Securities Exchange Act of 1934. “For this reason,” he adds, “it is important that any business making Y2K statements to customers or contacts in the US has its statements carefully checked to ensure that they fall within the definitions set out in the act and therefore qualify for protection.” But even UK firms who have no dealings in the US do have another defence aside from express claims. Even if a customer or business partner is able to make a claim, businesses may be able to turn to force majeure clauses. This kind of clause lets the affected party off the hook if there is some act of God. If something beyond your reasonable control happens, then it may be that you do not have to carry out your contractual obligations. But once again, there are no guarantees that force majeure will be accepted as a defence for Y2K liability. Adam Taylor, head of the IP and IT groups at law firm Whithers, explains: “The issue is going to be whether Y2K counts as something ‘beyond your reasonable control’. I think it will be difficult to argue that case as far as your own systems are concerned because a court will say it was within your reasonable control, that it was something you could have sorted out.” “If Y2K failure is external and it’s something that you couldn’t have reasonably foreseen, then you’re in a better position to rely on the force majeure clause. On the other hand, if one of your suppliers fails thanks to Y2K, perhaps you should have at least made enquiries. If you never got around to it or did not really look into it, the court might say it was within your reasonable control to make some further enquiries and it won’t be a defence to you.” While Y2K liability is, to date, untested in the UK, we are already starting to see the emergence of Y2K legal action in the US. As yet very few of these disputes have actually gone to trial and most are being resolved out of court by mediation or arbitration – off the public record. Alternative dispute resolution (ADR) in the UK is likely to be a key way of solving Y2K contract problems, if only because the law is so inadequate in respect of technological-based and untested cases. Suing directors is easier in the US, Taylor points out, so the UK is likely to see less actual litigation and more arbitration. Maughan raises a key problem when it comes to determining Y2K liability: “It would be perfect if we had a Y2K statute in this country that said this is what liability is, but we don’t have one. You are back to the old problem that you will find when it comes to IT, that the law is always 10 or 15 years behind the technology.” The only thing that seems certain is that there will be claims made in the new year. And once a claim is made, it is likely to set off an almighty legal chain reaction, with companies passing blame to business partners or IT suppliers and so on, virtually back to the company that is turning sand into silicon for the chips. And businesses can count on the equation that the more damaging the effects of a Y2K disaster and the stronger the bargaining position of the claimant, the more likely it is that action will be taken in court and damages awarded. Lawyers must be rubbing their hands in gleeful anticipation. Y2K PREDICTIONS Y2K spending is going through a major shift, according to market research firm Gartner Group. By the end of this year, the bulk of Y2K related spending in large US businesses will be outside IT. Lou Marcoccio, research director at Gartner Group and a widely respected Y2K expert, made this prediction at the Gartner Group Predicts conference in San Diego last month, during an update on the world’s readiness for the year 2000. A year ago, virtually all Y2K spending went to IT. But by late 1998, large businesses in the US were spending half of their Y2K budgets on other areas such areas as risk assessment, risk management, contingency planning and contingency implementation. By the end of 1999 we will reach a point where two-and-a-half to three times more will be spent outside IT, said Marcoccio. Another prediction: a mere 8% to 10% of Y2K related failures will occur within two weeks of January 2000. 5% of failures have already occurred in 1998 or before, Gartner estimated. Another 25% will occur during 1999, with the number of failures increasing sharply in July, when six month forecasting systems start to encounter dates beyond 1999. 55% of Y2K failures will occur during 2000. The final 15% of failures wont happen until 2001, said Marcoccio. In the last two quarters, governments and businesses have made significant progress towards Y2K readiness, said Marcoccio. But not all the news is good. The gap between the leading countries and companies throughout the world and the laggards has widened dramatically during the last two quarters, he said. The United States and Canada are well ahead of the pack, according to Gartner’s numbers, with 75% to 80% of systems in US government agencies now fixed or almost fixed. But despite the efforts of the UN and the World Bank, many countries are falling increasingly behind the leaders. Even though the UN and the World Bank are making a gallant effort, they are not having sufficient impact, said Marcoccio. Dominique Deckmyn, VNUNewswire. NO AUDIT DATA, NO DEFENCE The finance department is doubly concerned with Y2K issues. Not only does it rely on systems to carry out day-to-day duties, but it needs them to fulfil its audit obligations. Regardless of whether the computers are down, companies will still be required to provide adequate records to the auditors. If companies have an audit due in January 2000, then making sure that their accounting systems are not going to fall over should be at the top of their priorities. Roger Housechild, director of technical services at the ICAEW, confirms that there will be no exceptions in the case of Y2K failure. “If the system were to fall over, then the obligation would then be on the directors to find a method of keeping accounting records thereafter – a manual system or another computer,” he says. “If, when the computer failed, accounting records were destroyed, then an auditor would have a limitation on the scope of his audit which would probably lead to a very heavy qualification and possibly a disclaimer. “He would qualify on grounds that the company has not complied to the Companies Act, which is to keep proper accounting records. Businesses are required to be able to show financial position at any time.” ARE YOU COVERED FOR THE BUG? The insurance industry prides itself on being a vital weapon in the armoury of the risk manager. But the millennium bug has caused insurers to take a similar attitude to lawyers. Caution is the watchword, and since no-one really knows the likely extent of the problem, few companies are willing to offer comprehensive cover. “If, for example, the sprinkler systems go off, or the building burns down as a result of a computer malfunction, then companies will want to look and see if their property policy is going to respond,” says John Trotter, partner at Lovell White Durrant. “Most policies will have an exclusion clause on computer failure. What’s been happening with most property policies is that insurers started off saying that anything to do with Y2K is not going to be covered. Most of them have now moved from that position and are giving a write-back for all the usual perils. So if your building does burn down and can be traced to a Y2K fault in the computer they will cover it.” Insurers will, however, want to be satisfied that a reasonable Y2K audit has been carried out. However bad the Y2K problem actually is, buildings are unlikely to catch fire spontaneously. It follows that the more likely problems are harder to insure against – business interruption cover is far trickier, for example. If, say, a supermarket chain develops a problem with point-of-sale systems, the losses will be heavy. “That could add up to big figures and most insurers are not willing to underwrite that risk,” says Trotter. “Most insurers are trying to exclude this and those that are covering it are putting a very tight ceiling on cover.” On product liability cover, Trotter thinks the insurance companies are liable to pay out. So if, for example, a company is sued because a Y2K-afflicted product of theirs has caused an accident, they ought to be able to make a product liability claim in the usual way. Professional liability and – of particular interest to FDs – directors’ and officers’ policies (cover against the board being sued for failing to prepare their companies for Y2K) are equally thorny issues. On professional liability, Trotter reckons most insurers are specifically excluding Y2K-related claims. Y2K IN ACTION British Airways has denied reports that it is forcing senior executives to fly on New Year’s Eve this year to prove that planes are safe from the Y2K bug. The Chinese government recently announced a similar measure and there was some speculation in national newspapers that BA would do the same. A Mori poll for ICL found that 40% of the public said they would not fly on New Year’s Eve, but Air Iceland claims to have sold all but a few seats for those wanting to see in the millennium from a glacier. Fixed and mobile telephone lines in the UK will be Y2K compliant by September, but a cloud still hangs over some international connections, according to telecom watchdog Oftel. Its review has so far shown that 95% of fixed-line operators would be ready by the middle of 1999 and the remaining 5% by September. All mobile networks will be compliant by June. But international calls to countries that have not checked their networks may still be a problem. Prime minister Tony Blair has threatened to “name and shame” local authorities that are failing to reach their Y2K compliance targets. In a speech to the Local Government Association, Blair said that those which failed to reach their targets were at risk of being exposed by a public spending watchdog. “We all depend on your services, whether traffic lights and waste collection, benefits or housing,” he told the local government officials. The Audit Commission has found that 15% of local authorities will not have solved Y2K problems by 1 January. Some US chemical plants could be open to Y2K failures, according to a US government report. The Chemical Safety and Hazard Investigation Board said the problem was exacerbated by the fact that many local and state governments are oblivious to it. President Clinton may have got a few rounds of applause during his State of the Union address in January, but all went quiet when he asked for help to make Y2K the “last headache of the 20th century”. Source: VNUNewswire.