Internet Business Law Alert

12 Steps To Address The Year-2000 Problem
And Reduce Your Legal Exposure

Richard L. Ravin, Esq.

By: Richard L. Ravin, Esq.

The Year-2000 ("Y2K") Problem is an operational problem, not just a technological problem. It will affect businesses locally, nationally and internationally. By addressing the Y2K Problem now, companies can reduce their risk of operational problems and legal exposure in the near future.

The Y2K Problem is caused by computer programs using two digits instead of four to represent the year -- e.g. "98" for "1998". For a more than a quater century, programmers assumed that the first two digits would always be "19". Thus, on January 1, 2000, non-compliant computers will think it is January 1, 1900.

A company should consider taking the following steps to address the Y2K Problem:

PLEASE NOTE: This list is only illustrative and is not exhaustive. It is not appropriate in every case. The purpose of this newsletter is to provide general information on the Y2K Problem and should not be considered legal advice. Every case has special circumstances requiring its own analysis by legal counsel.

Make Senior Management Aware of Y2K Problem

Before addressing the company's Y2K Problem, management must be made aware of the seriousness of the Y2K Problem in general. Senior management must acknowledge that the Y2K Problem is not just a "technology" issue, but a company-wide "operations" issue that requires the allocation of substantial funds and personnel. It is a problem of potentially global proportions.

Develop a Management Team and Plan

To resolve this operations problem, a company should assemble a Y2K Problem Management Team to develop a Y2K Compliance Plan, including a Contingency Plan in the event that Y2K compliance cannot be completed on schedule. The Y2K Problem Management Team should include the Chief Executive Officer, the Chief Information Officer, the Chief Operating Officer, the Chief Financial Officer, legal counsel, and, if possible, an independent Y2K consultant.

The Y2K Problem Management Team should establish a company-wide approach to the Y2K Problem, by centralizing their control of Y2K compliance efforts. The Management Team should allocate the funding, personnel and resources necessary for the three crucial stages of Y2K Problem management: evaluation, remediation and testing. Contingent on the company's size and industry, the Team should budget 10-20% for evaluation, 20-50% for remediation, and 30-50% for testing.

In its Y2K Compliance Plan, the Management Team should define "Y2K compliance." There is no single Y2K compliance standard. One illustrative, albeit oversimplified, definition may be:

The Team should distinguish between "Y2K compliance" and "Y2K ready." Typically, software is Y2K ready if its vendor represents that it will be Y2K compliant when used in accordance with the accompanying documentation. Depending on your applications and the extent of your company's Electronic Data Interface ("EDI") with other companies, this distinction could be significant.

The Management Team should also prepare a Contingency Plan in the event that Y2K compliance is not completed on schedule. The Contingency Plan should both define the mission-critical operations, and prepare the company to perform without the use of IT systems (e.g., by substituting a paper-based system reminiscent of the 1970's). This back-up plan should include training and staffing options, as well as trigger dates. Hard copies of all documents necessary to maintain mission critical operations should be maintained, for instance, the general ledger, accounts payable and accounts receivable reports for a given time-period preceeding 1-1-2000.

Evaluate the Company's Internal Y2K Problems

The Management Team should take inventory of the company's IT systems and legal documentation. To determine the Y2K compliance of the company's internal IT systems, the Management Team should take stock of all hardware, software and firmware. The Team should also determine whether the company has proprietary or third-party computer programs, and whether the source code is subject to either the company's or the vendor's intellectual property rights.

The Management Team should locate all legal documentation, including, software licenses, systems maintenance agreements, software development agreements, and consulting agreements. It is important that the Team also gather all the sales and promotional material distributed by the software and hardware vendors. These materials may provide representations and warranties, or be the basis for extrinsic fraud claims against software vendors.

The Team's legal counsel should determine the scope of the documents' maintenance and support obligations, including, warranties, representations, limitations on liability, indemnifications, disclaimers, Y2K compliance certification, statutes of limitations, and non-disclosure agreements. By taking stock of the company's legal documentation, the Management Team can examine whether each agreement calls for the vendor to remedy the Y2K Problem, either free of charge, as part of a current service agreement, or at a cost. This process will also prove useful in connection with pursuing possible litigation options.

Evaluate the Company's External Y2K Problems
(i.e., Y2K Compliance of Trading Partners)

After reviewing the company's internal IT and legal documentation, the Team should analyze Y2K compliance by external trading partners (suppliers, distributors, customers, etc.). The Management Team should identify all forms of EDI, and establish a dialogue with trading partners (especially with critical suppliers), regarding their Y2K compliance plans. The Management Team should inquire into suppliers' (i) awareness level of the Y2K Problem, (ii) Y2K Compliance Plan, (iii) the current stage of the supplier's Y2K Compliance Plan, (iv) the date Y2K remediation will be completed, (v) the date Y2K testing will begin and be completed, and (vi) whether the supplier's systems will be Y2K compliant by January 1, 2000. Especially for critical suppliers of products or with whom your company conducts EDI, written responses or questionnaires may be appropriate. The Management Team should be sure to diligently follow up on responses and document its efforts.

As further precaution, the company may seek representations, warranties and/or indemnifications from its trading partners as to their Y2K compliance. Determination as to whether the time, effort, and legal cost expended is worthwhile to secure each assurance requires a risk-benefit analysis specific to each case. Generally, obtaining such assurances is better than not having them, but, if the effort expended will be great, and it distracts the company from doing more productive Y2K tasks, then perhaps the company should consider engaging instead in open and frank dialogues with its trading partners.

Companies should also re-examine their own product or service warranties provided to their customers to make sure that they are either confident that the Y2K Problem will not cause a breach, or that the warranty by its own terms (preferably, expressly) exclude Y2K Problems. Companies may need to require that the manufacturers of component parts supplied to the company for assembly in the finished product provide warranties as to Y2K compliance.

Create Y2K Problem Response Department

The company should consider creating a formal Y2K Problem Response Department, which controls the timing and content of affirmative public statements, statements to shareholders, and creditors (especially inquiries made by trading partners). The Response Department could also provide appropriate disclaimers and maintain the company's duty to update/correct disclosures.

As part of response efforts, funnel all Y2K inquiries (whether oral or in writing), centrally through the office of counsel or other senior management. Alert company employees that no one outside of the appointed Y2K Problem Response Department should answer questions as to your company's Y2K compliance. By failing to respond appropriately and consistently, lower-level employees (such as members of the purchasing department) could create substantial liability for the company.

Do a Risk Management Review

The Management Team should perform a risk management review. It should determine, as best it can, likely scenarios in the event that IT systems are partially or completely disabled, and how these may affect operations, earnings, market share and survivability. The same analysis should be made assuming there are EDI failures and suppliers (especially certain key suppliers) cannot deliver their goods or services. These risk assessments must be made by the Management Team as it develops the Y2K Compliance Plan and makes budgetary and personnel allocations. This process will help determine which mission-critical systems need to be made Y2K compliant to survive past December 31, 1999.

It is also important to review insurance coverage. While directors and officers have come to rely on insurance coverage for themselves and their businesses for injury caused by unintentional acts or omissions, most will be surprised to learn that there may be no coverage for injuries caused by Y2K Problems. This may be either a function of the legal interpretation of the insurance contract, or simply due to a Y2K Problem exclusion.

The fortuity doctrine recognizes that insurance companies insure against risk, not certainty. The arrival of the Year 2000 is a certainty. Therefore, the insurance industry will argue, there is no coverage for any Y2K Problems. Similarly, the known-loss doctrine establishes that if the insured knew of the loss at the time the policy was contracted, then there is no coverage.

The insurance policies which will be in effect for the overwhelming majority of Y2K Problem claims have not yet been issued. This is because most insurance policies have a one-year term. It is expected that most claims for Y2K Problem injuries will arise after December 31, 1999, (although there are some massive class action suits already underway against software vendors). Thus, only policies written after January 1, 1999 will be in effect in the Year 2000. The point is that whether the policy is "claims-made" (such as Directors & Officers and Errors & Omission policies), or "occurrence" (such as Comprehensive General Liability), the insurance industry still has time to fashion exclusions for Y2K Problems. It is likely that renewal policies will reflect these changes.

Directors and officers need to be especially aware that there may be no coverage to protect them against personal liability (in cases such as class action derivative lawsuits). They may be at particular risk if their Directors & Officers policy has a Y2K Problem exclusion, (although, as discussed above, the fortuity or known-loss doctrines may preclude coverage even without an express exclusion).

Perhaps the worst-case scenario can be expected by a director or officer who has totally ignored the problem, hoping the whole Y2K Problem will "blow over" or that Microsoft would come up with a magic bullet in the nick of time. This will not happen. Those directors and officers who do nothing to handle their Y2K Problems, risk losing the protection of the business judgment rule (discussed below).

All is not lost on the insurance front, however. Some policies may permit the insured to recover costs associated with remediating a problem, which, if left un-remediated would result in a loss covered by the insurance. The theory is that since the insured took steps to reduce the loss for which the carrier would have been liable, the insured should be reimbursed for those costs. It is important to discuss this point with your risk manager or legal counsel as to its applicability.

Make Company's IT Systems Y2K Compliant andNegotiate Compliance Warranties/Representations

Those IT systems found non-compliant may either be upgraded, replaced or modified (altering software software source code).

If the Management Team chooses to upgrade the company's non-compliant systems, it should attempt to establish Y2K compatibility standards and negotiate Y2K compliance requirements (warranties and representations) into contracts with software developers and computer service providers. In addition, the contract should define deliverable goods and facilitate contract management.

If the company chooses to remediate (i.e., modify the source code of its software), it can be implemented either in-house or by an external consultant. The company's considerations should include remediation costs, the implications of Y2K remediation on the company's tax treatment, and the competition's choice of Y2K solution.

In the area of Y2K cost taxation, the Internal Revenue Service and the Financial Accounting Standards Board ("FASB") have set contrary policies on reporting remediation costs. The IRS concludes that Y2K costs should capitalized (i.e., depreciated over the span of the asset's life), whereas the FASB's general accounting principles treat Y2K costs as expenses in the year incurred. Given conflicting policy, the Management Team must determine whether remediation is a current expense or a capital investment that is subject to depreciation expense.

If the company is unable to remediate, or the company's size makes it uneconomical, the Management Team may opt to acquire new systems, convert its data, and train employees accordingly.

If the systems integrator, understandably, will not represent or warrant that the system will be Y2K compliant, the systems integrator should be required to assemble all of the manufacturers' warranties and representations (including sales literature) addressing Y2K compliance. These representations and warranties should be reviewed by the Manager of Information Services ("MIS") to determine whether the levels of "Y2K compliance" are acceptable to the company.

Once the upgrading, replacing or remediating is complete, either an in-house or third-party integrator should conduct thorough Y2K compliance testing for both the company's internal and external systems. The successful completion of Y2K compliance testing should be a criterion for acceptance of the computer system.

he Management Team's attorney should also determine the vendor's and the company's respective intellectual property rights. Generally, licensees receive source code for read-only purposes (which do not permit users to alter the source code), permitting vendors to preserve their copyright. Altering that source code (for instance, when remediating Y2K Problems in a date field), may violate that license agreement or copyright laws. However, the Copyright Act may permit a company to conduct Y2K remediation when it is considered an "essential step" for using the licensed software through December 31, 1999. 17 U.S.C. Section 117.

Directors' and Officers' Duty of Due Diligence

At a minimum, directors and officers should assess their company's Y2K Problems. Although directors and officers are not responsible for fixing a company's Y2K Problem, directors and officers should conduct Y2K due diligence to enjoy immunity from personal liability premised on the business judgment rule. Also, as noted above, there may be no insurance coverage protecting directors and officers from personal liability. Making matters worse, a jury, say, in 2002 is likely to view news accounts (articles, television and radio broadcasts, etc.) of the Y2K Prolbem as evidence that the Y2K Problem was widely-recognized throughout the business community in the summer of 1998.

In order to be immune from personal liability under the business judgment rule, a director or officer must act with reasonable diligence, conforming to the standard of an ordinarily prudent director or officer under the circumstances. Therefore, if a director or officer did not inquire about the company's Y2K compliance as of summer 1998, the director or officer may remain unprotected by the business judgment rule.

While decisions made in the exercise of reasonable diligence may be defensible within the business judgment rule, a failure to act or failure to make a decision is seldom defensible under the business judgment rule, because the director or officer made no judgment at all.

A director or officer may be found negligent for not only failing to conduct a Y2K evaluation, but also for issuing financial statements without disclosing that either a Y2K Problem exists, or that a Y2K evaluation has not been completed. For example, as the signatories of securities registration statements, directors and officers face potential personal liability for material misstatements or omissions about Y2K compliance. If directors or officers ignore a material Y2K issue affecting the company's net income, the directors and officers also expose themselves to shareholder derivative suits.

Make Y2K Compliance Disclosure

Once Y2K evaluation and due diligence are complete, disclosures by the Management Team may be necessary regarding Y2K compliance/non-compliance. Disclosures may be required, for example, (i) when borrowing money from a bank (such as in loan documents), (ii) when selling a business, or (iii) when making a filing with a regulatory body (such as the SEC). In addition, the Management Team should avoid making material misstatements or omissions as to the company's Y2K status when responding to trading partners' inquiries, or applying for insurance.

For publicly-held companies, disclosure should be made if the Y2K Problem or its remediation will have a material effect on a company's financial operations. Disclosure may also be necessary to other regulatory auditors, examiners, or agencies (such as that by banks reporting to the Federal Reserve Board).

For closely-held companies, if the Y2K Problem has a material effect on the company's financial position, a director or officer may need to disclose this information to shareholders.

Accountants and attorneys may face particular duties with regard to Y2K compliance disclosure. Specifically, accountants may need to advise clients that material Y2K Problems should be disclosed on financial statements. When conducting audits, accountants may also have the independent duty to disclose material Y2K Problems in financial statements. Attorneys should discuss potential Y2K Problems with clients in connection with the due diligence review of transactions such as mergers and acquisitions.

When representing the buyer of a business, an attorney should advise the buyer to have its MIS (or outside expert) evaluate the seller's Y2K Problem, for both internal and external operations. An attorney representing the seller of a business should counsel the seller as to the risks of not accurately disclosing Y2K Problems. Particularly if there are no known problems, the buyer should determine whether this is because the management has not conducted its due diligence. The attorney should also advise the seller that, if the buyer brings suit after the sale based on breach of representations or fraud, a failure to make a material disclosure exposes the seller to liability.

Litigation Options

Parties Liable and Theories of Liability

Potentially liable parties include software and hardware vendors, systems integrators, service providers, computer consultants who recommended non-compliant products, trading partners, directors and officers, Y2K remediators, accountants, attorneys, and insurance carriers.

Y2K Problem liability may be premised on numerous theories, including, contract (such as breach of warranty), tort (such as products liability, personal injury, fraud, and intentional/negligent misrepresentation), unfair or deceptive trade practices, and consumer fraud.

The bulk of Y2K Problem litigation will occur after January 1, 2000, although some suits against software vendors are already underway. Claims against software and hardware vendors will likely focus on the extent of warranties and disclaimers, as well as fraud and misrepresentations made in advertising (such as promotions touting that a product will solve problems through the 21st Century). As to litigation against systems integrators, computer consultants, programmers, and maintenance providers, if the agreement requires performance through the Year 2000, computer service providers may be liable for failing to keep computer systems operational through the start of the new millennium.

Tort Liability For Computer Service Providers

Given that off-the-shelf software invariably has disclaimers and limitations on damages, a tort claim against a software vendor is often preferable to a contract claim. Tort claims which may arise from the Y2K Problem include products liability, and intentional or negligent misrepresentations.

Tort law often applies to litigation against systems integrators, computer consultants, programmers, and maintenance providers. For example, a tort claim may succeed pertaining to Y2K compliance if the product was sold with a defect that made the product (e.g., pace-makers or Intensive Care Units) unreasonably dangerous, making the seller and manufacturer liable per se.

However, the economic loss rule denies recovery for claims of Y2K non-compliance for pure economic damages, since the UCC (which provides remedies for breach of implied and express warranties) is the exclusive remedy for the purchaser of a product. To recover where a claim is based on intentional or negligent misrepresentations, the economic loss rule requires either physical injury to a person, or a duty separate from the contract.

A claim against a computer service provider, such as for maintenance and programming services, may not be subject to the economic loss rule. Moreover, since such a contract is not for goods, it is not covered by the UCC. As a result, in place of asserting a contract claim, an injured party may bring a tort action for negligence related to the performance of the service. Some jurisdictions allow limited economic tort damages for claims of negligent performance of contractual services. AT&T Co. v. New York City Human Resources Administrations, 833 F. Supp. 962, 983 (S.D.N.Y. 1993)(recognizing the exception, but noting that the exception to the economic loss rule is limited only to contracts for services). In addition, the economic loss rule may not apply when the buyer and the seller do not have equal bargaining power.

One critical inquiry as to negligent misrepresentation is whether there is a duty that gives rise to a tort claim, separate from the contractual duty. Most courts do not recognize a cause of action for negligent misrepresentations (such as in Y2K compliance measures), in the absence of some special relationship of trust or confidence between the parties. NMP Corp. v. Parametric Technology Corp., 958 F. Supp. 1536, 1547 (N.D. Okl. 1997).

For instance, if an information provider makes negligent misrepresentations, and that provider owed a duty (separate from the duty in its service contract) to provide his customer information without negligence, then the provider of the information will be liable. General Electric Capital Corp. v. Equifax Servs. Inc., 797 F.Supp. 1432, 1442 (N.D. Ill. 1992)(a company that provided information to lenders for inventory control and collection purposes). General Electric Capital Corp. held that where an information provider makes a negligent misrepresentation in the purported guidance of others' business transactions, the economic loss rule does not apply. This analysis may be relevant in a Y2K Problem scenario, perhaps against a consultant or software engineer hired to assess or certify Year-2000 compliance

Outside of the products liability context, however, the economic loss rule may not apply to torts, such as intentional or negligent misrepresentations (including fraudulent inducement), which are collateral or extraneous to a contract. Clark-Fitzpatrick, Inc. v. Long Island Rail Road Co., 70 N.Y.2d 382, 389, 521 N.Y.S.2d 653, 656-57 (1987)(the legal duty must spring from circumstances collateral to, and not constituting elements of, the contract, although it may be connected with and dependent on the contract); Int'l Ore & Fertilizer Corp. v. SGS Control Services, Inc., 38 F.3d 1279, 1283-84 (2d Cir. 1994), cert. den. 115 S.Ct. 2276 (1995); Deerfield Comm. Co. V. Cheseborough-Ponds, Inc., 68 N.Y.2d 954, 956, 510 N.Y.S.2d 88, 89 (1986)(a fraudulent inducement claim must be based on a misrepresentation of present fact collateral to, but which was inducement for, the contract).

In addition, there is a distinction between negligence in the provision of services (negligent acts or omissions, such as in malpractice), and negligent misrepresentations. For example, unlike the negligent provision of services, negligent misrepresentation may be actionable in a matter arising out of the purchase of a computer program or the recommendation of the computer program

Liability of Y2K Solutions Providers

The Y2K Problem has spawned a new specialty industry in Y2K solutions providers and consulting services, and contract claims may arise against systems integrators, computer consultants, maintenance providers, and computer programmers. Y2K solutions providers are often highly-trained and have specialized knowledge about programming and computer systems. It remains to be seen how courts will treat these defendants.

Although malpractice law can render attorneys, accountants, doctors, architects, and engineers, personally liable for their professional services, there is no cause of action for computer malpractice. Parties have sought to extend the malpractice doctrine to computer consultants, based on computer professionals' specialized knowledge in a technically complex area. See AT&T v. The New York City Human Resource Admin., 833 F. Supp. 962, 983-85 (S.D.N.Y. 1993); Columbus McKinnon Corp. v. China Semiconductor Co., 867 F. Supp. 1173, 1177-83 (W.D.N.Y. 1994). But See Data Processing Services, Inc. v. L.H. Smith Oil Corp., 42 N.E.2d. 314, 318, 319 (Ct. App. Ind. 1986).

Contract and Tort Claims Between Trading Partners

As between trading partners, a supplier can be liable to his customer for "non-delivery of goods" under UCC 2-713. For example, a Y2K Problem with automated manufacturing and inventory control can cause products not to be manufactured and shipped on schedule. This manufacturer may be liable for non-delivery of goods to its customers, which, in turn, may be liable to its own customers for non-delivery of goods.

The UCC provides that a supplier is liable to its customers for actual damages. Thus, a supplier that fails to deliver its goods on time will be liable for the difference between the contract price and the market price at the time of the breach. This difference could be considerable if the market supply is already dry because of the Y2K Problem.

Consequential damages and incidental damages are also available to the customer under the UCC. Thus, the supplier could be liable for the foreseeable damages flowing from the non-delivery of goods. Such damages are typically, loss of reasonable or expected profits. If the supplier specifically knew the profit that the customer was going to earn on the product, he may be liable for that amount.

Nationally (indeed, globally), this "non-delivery" scenario could set off a domino effect throughout the manufacturing and distribution sectors of the economy. As a protective measure, companies should consider adding clauses to their contracts that excuse performance for non-delivery of goods caused by a supplier's or a distributor's Y2K Problem. A company should be especially concerned about the Y2K compliance of third parties, whose compliance is beyond the company's control (especially those critical suppliers which are the company's sole source of supply).

A suit against a trading partner may arise not only from a contract, but also from a tort. If a trading partner intentionally or negligently misrepresents itself to a customer or a supplier as Y2K compliant, then an action may lie for fraud or negligent misrepresentation. Thus, if its customer relies on the misrepresentations of the trading partner, and the customer places a large order which is not delivered, the supplier may be liable in tort for damages. The same holds for misrepresentations made by a customer to a supplier.

Beyond contract and tort claims, however, most states' unfair/deceptive trade practice or consumer fraud statutes may be asserted against a company that continues to ship products which are not Y2K compliant. Such a company must have knowledge that to become Y2K compliant, the customer would be required to purchase extensive upgrades to the software.

The Duty to Mitigate, the Force Majeure Clause, and the Impossibility Doctrine

The duty to mitigate, the effect of a force majeure clause, and the applicability of the impossibility doctrine are additional considerations as to Y2K Problem litigation. Y2K compliance contracts invoke the duty to mitigate damages, particularly in the case of consequential damages. (See UCC 2-715(2)(a) and Section 6-5).

A force majeure clause in a Y2K compliance contract will typically protect the obligor in the event that a part of the contract cannot be performed due to causes which are outside the control of parties, and could not be avoided by the exercise of due care. Although a company's internal Y2K Problem may be within its control, the Y2K Problem of an obligor's supplier may be deemed outside the obligor's control. In addition, standard force majeure clause language can be altered to specifically rule out the Y2K Problem.

The impossibility doctrine may be interposed as a defense to a claim of non-delivery of goods due to the Y2K Problem. If, after a contract is made, an unforeseen event occurs which makes a party's performance impracticable (not due to that party's fault), then the duty to perform may be discharged so long as the non-occurrence of the event was basic to the contract. Although it is unlikely that a future jury would find that the Y2K Problem was unforeseeable as of summer 1998, its exact effects may be found to have been unforeseeable.


Companies should address their Y2K Problems immediately to reduce their exposure to operational problems and potential liability. The failure of directors and officers to do so, creates the risk of liability not only for the company, but for them personally, as well.

* * * * * * * * * * * * * * * * * * * * * * * * * * *

If you would like to receive future complimentary issues of the Internet Business Law Alert or if you have any questions or comments about the articles, please feel free to contact Richard L. Ravin, Esq., by phone at (973) 228-9600, or by E-Mail at

Legal Services Available

      • Internet and Computer Law
      • Intellectual Property Law
      • Corporate, Business and Tax Services
      • Commercial Litigation
      • Employment Law
      • Product Liability Litigation
      • Reorganizations, Workouts and Bankruptcies

    Ravin, Sarasohn, Cook, Baumgarten, Fisch & Rosen, P.C. is available to counsel its clients regarding Internet and Computer Law, including the issues raised in this publication

    • Registration of trademarks, domain names and corporate names
    • Drafting work-made-for-hire agreements for Web sites and other copyrightable works
    • E-mail policies and employment law related issues
    • Trade Secrets (such as customer lists, secret formulas and designs)
    • Personal jurisdiction issues (avoiding being sued wherever your Web site is reviewed
    • Internet privacy issues
    • The "Year 2000 Problem"

Inquiries Welcomed

Telephone:; (973) 228-9600 • Fax: (973) 228-6080
Web Site:

This and other publications of Ravin, Sarasohn, Cook, Baumgarten, Fisch & Rosen, P.C., as well as information regarding the firm and its attorneys, are available on the Internet at our Web site.

Return to the Top

BackupReturn to Firm Articles Newsletters

Copyright 2019, Richard L. Ravin
All Rights Reserved