COVER STORY: Y2K, lawyers and you! Will you sink or swim?
- 01 October, 1998 12:01
If the company you work for becomes the subject of Y2K litigation, will you be covered if your boss points the legal finger at you? Well, whether you're an IT manager, contractor, consultant or programmer, you could find yourself being the only asset-rich target left for third parties with a Y2K vengeance!
The date is February 26, 2000 and Colossus Petroleum Corp has murder in its heart. Its latest multibillion dollar refinery is fatally behind schedule because vital equipment is missing. The shipment was shunted into cyber-limbo after a strangely-labelled date field in the equipment supplier's legacy code slipped through its Y2K-proofing exercise.
Without the refinery onstream, Colossus faces a huge revenue gap. It is suing the supplier who in turn has spun around to point a legal finger at its own IS manager, the contractor overseeing its Y2K project and analyst-programmers on the remediation team.
If this seems a far-fetched scenario, think again, particularly if you happen to be a contractor, warns Alfonso del Rio, a partner with Clayton Utz in Canberra.
"There is no doubt it will happen. In big actions brought against one entity, the first thing it will do is cast around to see who did the contracting."
Y2K-related lawsuits will each see "20 to 30 parties sucked into the mire" of alleged negligence or breach of contract, del Rio predicts.
"Any self-employed contractor who negligently fails to ensure the change of century data is handled correctly will be able to be sued in any proceedings."
Unfortunately for contractors, taking out insurance against such threats is no longer viable. The millennium bug has sent insurers into full retreat. Some no longer write professional liability insurance at all for Y2K work. Where it is available, the premiums have shot through the roof.
Permanent IS managers and programming staff may be protected against lawsuits mounted by their employer in some states. But if their company goes into liquidation, they could find themselves the only asset-rich targets left for third parties with Y2K grievances.
IS managers have the additional burden of being exposed to directors' liability under corporate law. To top off this cocktail of risk, companies hit by serious Y2K trauma are likely to mount internal hunts for scapegoats starting with the IT department. So the post-2000 period poses career-threatening possibilities for permanent IT employees.
Against this rogue's gallery of unwelcome repercussions, IT professionals associated with Y2K remediation work need to sit down and perform a cold-blooded assessment of their situation.
Accurate risk assessment and strategy selection might save both their family homes and their careers later on.
One umbrella of protection enjoyed by permanent IT employees in NSW is The 1991 Employees Liability Act. Passed to prevent employers from seeking compensation from their workers for negligence, the act provides similar immunity on Y2K issues.
But the legislation puts the onus on employees to work to the best of their ability. If a company can prove an employee deliberately planted a millennium bomb, his legal indemnity would vanish and his action would fall into the category of fraud.
NSW-style protection is not available in every other state. More than that, it is still feasible for a customer to sue both a company and its employees for negligence, said Robert Jordan, a leader of the iTEAM group recently formed by law firm Henry Davis York to specialise in information technology matters.
"But it must be an act of negligence rather than just not performing a contract," Jordan said. "If a company has undertaken to provide Y2K remediation services and failed to fix all the problems, that isn't necessarily negligence.
It could just be a breach of contractual obligation in which case the company would be liable but not the employee."
Jordan noted that employees are rarely sued because "it is not good for industrial relations". On the other hand, "if you work for a small, undercapitalised consulting company that doesn't have the money to pay a damages claim, the customer may decide it will be more successful against its employees".
IS managers have further cause for concern because of directors' liabilities as laid out under corporate law.
"A lot of people don't understand that a director is defined as anyone involved in managing the affairs of a company, or who is in a position to influence that management," says del Rio.
That definition could plant IS managers squarely in the sights of shareholders seeking post-2000 satisfaction because of their obligation to ensure Y2K issues are brought to their board's attention.
To protect themselves, managers "must ensure there is a compliance plan in place and that the plan is followed", del Rio says.
The charmed circle of protection offered to permanent IT staff by NSW legislation does not extend to consultants.
"As far as the Employees Liability Act is concerned, consultants are fair game," said Peter Silver, a senior associate with Clayton Utz in Sydney.
Their best protection lies in placing indemnity clauses in their contracts but they must be wary because "indemnity clauses are looked at very critically by courts", says Silver.
"During the 1990s the law of employment has become blurred," says Fitzsimons.
"A consultant contracts with a principal and depending on the terms of his contract, it may imply a year 2000 warranty."
It is now common practice among contractors in Y2K work to build in blanket clauses absolving them from liabilities.
"You are embarking on a relatively small exercise compared to the exposure that Y2K poses for the company you are servicing," says Jordan.
"You undertake to perform a service with professional skill but your sole liability is to go back and do it again if you make an error," he says.
"You cannot be held responsible for the year 2000 problem." Under the Trade Practices Act, liabilities of up to $40,000 are implied but even there, service providers "are able to limit their liability to the cost of providing their services again to fix the problem", Jordan said.
The Australian Computer Society (ACS) is lobbying to have a cap placed on professional liability in NSW and Western Australia. But it is unlikely to happen before the middle of 1999, says Philip Argy, the ACS spokesman on legal and social issues.
The ACS has obtained lower premiums for its members because it argues convincingly they comply with a code of practice which embodies good risk management principals.
However, things have reached a point "where no sensible Y2K contractor can afford to sign a contract unless they exclude or severely limit their liability", Argy says.
The market is at a stage where companies that have not yet signed remediation contracts are in no position to reject such exclusion clauses, he says.
Buck-passing may hit pandemic proportions post-2000 as public and private sector executives attempt to deflect blame for underestimating the Y2K issue.
For IS managers, it raises the spectre of becoming a target for accusations that could blunt or wreck their careers. "For an IS manager to be accused of failing to react quickly enough to year 2000 is tantamount to impugning his reputation," said Jim FitzSimons, a partner with Clayton Utz in Sydney.
In extreme cases, the corporate game of pass the hot potato could end in pink slips. IT employees in such situations could turn around and bring a case for wrongful dismissal or defamation, says FitzSimons. But they'll need to maintain a record of their actions to buttress their case if it has to go to court. Building a dossier of pertinent e-mail messages is a prudent step, he suggests.
"As a general legal principle, the power of the written word is 1000 times greater than mere conversation and e-mail is as weighty (as the written word) if it can be proved to be reliable.
"If you go into court with a physical memo dated January 17, 1998, it is deemed more reliable than an e-mail record because it is harder to forge."
To get around that, a reasonable compromise would be to print out relevant e-mail messages and date and sign them. For crucial messages, it might even pay to send it mail to yourself via Australia Post to establish independent verification of the date.
However, documenting concerns about the pace or direction of a remediation effort in a private dossier can land employees in treacherous terrain. "Sending an e-mail to the board saying you aren't happy with the way Y2K is going is not going to help anyone," points out del Rio. "It becomes good evidence for anyone who later sues the company and will have the company asking why you exposed it by sending and saving such messages."
A senior executive with one large vendor argues such files "should be kept at home under a pillow, not on the company's premises.
"A well-managed company that gets e-mail like that from a manager doesn't let it form a smoking gun in the legal discovery process. They thank you for your concern but say they have independent advice which shows it to be unwarranted."
On anecdotal evidence, senior management in three out of 10 Australian companies are still not addressing Y2K responsibly, according to Graeme Inchley, head of a federal government taskforce formed to spur Australian companies into Y2K compliance.
"If an IS manager feels it is not being treated appropriately, he should put his concerns in writing because he can't afford not to," Inchley says.
He suggested private sector IT executives "clearly document their recommendations, send them to senior management by way of memo or electronic mail and keep records of them.
"Number two, I would express my thoughts in a non-threatening way to senior management if I was concerned the company might be the subject of later legal action and I would ask for assurance [my liability] would be covered by the company."
To prevent career blight from Y2K problems, "it comes down to ensuring you have a very well-documented program", Inchley said."One where the responsibility of everyone is identified, the outcomes are identified, the time-frame and budget are identified and there is a suitable reporting mechanism where monthly feedback is obtained by the board or senior management.
The Commonwealth Government has already announced it is covering its employees for Y2K liability, according to Inchley, But state government IT workers "should double-check they have coverage against any action that might be taken by a third party against them or their department".
Consultants not directly involved in Y2K work can still get professional indemnity cover at reasonable prices. ACS members typically pay $680 a year for $1 million worth of indemnity incorporating $5 million in public liability.
Non-members pay double that premium. But insurers are rapidly opting out of the market. In Western Australia, for example, the State Government Insurance Office has retreated totally and no longer offers professional indemnity for anyone in IT, said Russell Medcraft, a representative of large insurance broker Aon Risk Servicers.
The small group of global reinsurers who lay off risk for big insurance companies closed off all Y2K business earlier this year. A few companies are still writing such business for customers like large banks and financial institutions but the premiums have escalated into the tens of millions of dollars, Medcraft says.
"Insurers are either applying exclusion clauses [to Y2K work] or pricing the premium almost beyond reach or a combination of both. He estimates less than 10 per cent of the IT industry now has some form of professional indemnity cover.
"Everyone trying to hire contractors to make their systems Y2K compliant wants the contractor to have some sort of cover so if things don't work, they can sue someone. But insurers are retreating from the market for the next year or two until claims are settled.
"What individual contractors should do now is find a good lawyer and set up fine-grained contracts that basically exonerate them from any liability at all," Medcraft says.
"As we move closer and closer to 2000, the business landscape is changing monthly. You wouldn't want to be a director of a public company on January 1, 2000."
Ross McLean, Hitachi Data Systems Y2K services director in Asia Pacific, said HDS is not stepping back from remediation work even though its insurance coverage expired in March. "It just means we write a legal cap on our responsibilities into our contracts. It is a bit of a shock for customers who are uneducated in the ways of Y2K contracts but they come to terms with it once they have talked to a number of vendors." With clients who are Y2K-literate, hammering out the non-liability clauses adds no more than a week or two to the negotiation process, he says. McLean argues a legal moratorium on all Y2K-based litigation would solve the whole issue.