This article appeared in the July 1999 issue of the
© 1999 Massachusetts Bar Association
This article originally appeared in the Westport Insurance Co. newsletter, An Ounce of Prevention, mailed as an exclusive benefit to those lawyers insured by Westport. Westport is the endorsed insurance carrier of Massachusetts BarAssociation professional liability insurance. Westport thanks Randy Evans ofthe Georgia law firm of Arnall, Golden & Gregory for allowing use of thisabridged and edited version of his article.
As the year 2000 approaches, many attorneys remain unawareof the risks and potential problems. Generally, year 2000 issues can be dividedinto two broad categories: external and internal risks, each with its ownimplications and solutions. Either can be debilitating to a law practice.
EXTERNAL RISKS Generally, external risks involve those risks which resultfrom interfacing or interacting with computers or networks that are external(or outside) the typical law firm. This includes financial institutions,communication systems, security systems, etc. Unfortunately, notwithstandingsome relatively easy methods for determining if some categories of thirdparties are compliant, many attorneys do not or have not taken even the minimumprecautions for protecting their practice from the problems of those who werenot yet ready for 2000.
INTERNAL RISKS Generally, internal risks involve risks uniquelyassociated with the operation of an attorney's practice docket control,accounting/billing controls, escrow functions, and practice management. Althoughmany attorneys assume that the viability of their systems are directlyproportionate to the costs incurred in connection with their computeroperations, the fact is that there is little correlation between the amountspent and the degree to which attorneys' systems are prepared for 2000.
To prepare for the next millennium there are things thatattorneys can do. Some are relatively simple. Yet, they do require someunderstanding of the types of risk involved and the resources available.
WHAT'S THE PROBLEM? The problem is that many computer manufacturers took ashortcut. To save space, many deleted the "19" from the yeardesignation in the computer. So, the year 1990 was converted to simply 90. Theeffect is that no distinction is made between the year 1990, the year 1890 orany other century involving the decade of the '90s. The fact is, manycomputer manufacturers never contemplated that their products would still be inuse when 2000 came around.
Of course, 2000 is no longer distant. As it approaches,computer specialists have begun to focus on what could happen when 2000 finallyarrives. For those systems that did not make the conversion, the possibilitiesare not good. They range from system unreliability to system shutdown.
In terms of system unreliability, some computers maysimply treat 2000 as 1900. In that event, as far as the computer is concerned,the date Jan. 1, 2000 becomes Jan. 1, 1900. However, Jan. 1, 1900 was a Monday.Jan. 1, 2000 is a Saturday. The resulting problems are obvious.
Worse yet, time duration calculations become nonsensical.A long-distance telephone call commenced at 11:59 p.m. on Dec.31, 1999 andending on Jan. 1, 2000 would likely be calculated as a 99-year telephone call.Unfortunately, the more likely scenario is a system shutdown. For manycomputers, there is nothing after 99. For those computers, 00 was the beginningand 99 will be the end.
HOW DOES IT AFFECT ME? There are thousands of articles regarding thepossibilities of what will happen when the next millennium arrives. Thepossibilities range from total chaos resulting from a total shutdown of allsystems to minor inconveniences. Candidly, no one really knows what will happenJan. 1, 2000. Yet, the direst predictions are certainly disturbing. Virtuallyall systems today are computer dependent. Everything from elevators to phonesystems are dependent on a computer. Moreover, the degree to which computersare networked means that it may only take one non-compliant system to causemajor systems problems.
Externally, a total system shutdown would mean no cashfrom the ATM; no traffic lights for the drive to work; no mass transportation;no lights, heat or air conditioning in the building; no radio or television; nopurchases at the supermarket, the department store or the gas pump; and, worstof all, no microwave.
Internally, a total system shutdown would mean nocomputer-generated documents; no docket or calendar control; no facsimiles; nofinancial records; no billings; no time entry; no new client matters; no phones;no disbursement; and possibly, no access (if the firm has a security system).In addition, there is some concern regarding whether data stored when thesystem failure occurs will be lost. For law firms, the implications of thispossibility are serious.
At a minimum, the Y2K problem will likely mean out ofsequence deadlines, billings, time entries, etc. In addition, financialrecords, including those associated with escrow accounts, may not beimmediately accessible.
Obviously, the actual risk of these various possibilitiesis greater for some than for others. Yet, few law firms have begun to focus onany of these risks. Instead, most assume that somehow the problem will takecare of itself. If not, then attorneys think they will simply be in the same boatas everyone else. Of course, attorneys are not like everyone else. The firsttarget when business transactions fail or there are missed deadlines is theattorney. The bottom line is that attorneys are expected to anticipate thesetypes of problems and address them. Failure to do so likely results inunanticipated liability and/or risks.
Finally, aside from the direct external and internal risksto the attorney, there are the indirect consequences resulting from unpreparedclients. These risks can manifest themselves in a number of different ways.
Some clients may simply not survive. Clients sensitive tocash flow disruptions could be destroyed if their own systems or the systemsused by their vendors, customers or financial institutions fail. (Of course, thesame could happen to law firms with cash flow problems early in 2000.)
Other clients may inherit problems through the acquisitionof and/or merger with other entities that are not Y2K compliant. These types ofproblems are likely to generate questions regarding the sufficiency of the duediligence performed in connection with the acquisition and/or merger. Dependingon the magnitude of the problem, directors and officers may face the risk ofshareholder suits. Regardless of whether it is a shareholder derivative actionor simply business disruption, the obvious response for many clients will be"why did you not tell me about this problem?"
HOW DO I KNOW IF I HAVE A PROBLEM? Unfortunately, everyone is at risk. One of thecomplicating factors is the degree to which a single Y2K noncompliant systemcan infect other systems. There are, however, some things to look for whichindicate a higher risk.
Systems that are greater than two years old are at asubstantially greater risk. This includes both hardware and software. If thecomputer was purchased in 1996 or earlier, special attention should be given totesting and verification procedures. Or, if software purchased on, or before,1996 has been added to the system, then special attention should be given totesting and verification procedures. The addition of a single noncompliantsystem can convert an otherwise compliant system into a noncompliant system.
Generally, any DOS-based software, regardless of purchasedate, should be especially scrutinized. If this is unknown, given the potentialramifications, the assumption should be that the software is not compliant andappropriate testing and verification pursued.
It is important not to overlook potentially noncomplianthardware. It seems that attorneys never throw away anything. This includes oldcomputers, printers, keyboards, monitors and the like. Yet, any one of these,if noncompliant, could infect an entire system. So, the old printer, nowrelegated to the library, could become the culprit in a system-wide shutdown.All hardware and software must be considered in determining the degree of riskthat a law firm faces.
ARE THERE TESTS I CAN RUN? There are tests that can be run, and there areverification procedures that can be followed to further minimize the risk.Testing can be either self-administered or through an independent consultingservice which specializes in Y2K compliance issues. The decision as to approachshould involve an evaluation of the magnitude of the problem (considering theage of system), whether the system is DOS-based, and the resources available.It is important to remember that self-administered evaluation will require asubstantial time commitment and lots of patience.
Help for self-administered plans can be found in severalplaces. First, sellers of the equipment and software you use should havesubstantial information regarding their products. Second, many softwareretailers sell prepackaged software that will test systems for Y2K compliance.Some of the packages also contain software solutions to some of the more easilyremedied Y2K problems. Third, there are a number of Web sites on the Internetthat offer a wealth of information regarding Y2K compliance.
Some Web sites provide tests for systems that can bedownloaded for use. Others provide valuable lists of hardware and software thathave been determined to be Y2K compliant. Other sites provide action plansoutlining the steps to be taken in a self-administered program. Some sites inthis category include:
There are also Web sites for the companies thatmanufactured the hardware or software used by an attorney's system. TheseWeb sites provide important information regarding each company's product.Simply typing in the company name into any search engine will generally lead tothe Web site for that company.
Many law firms lack the expertise or inclination toinvestigate and cure the risks associated with Y2K noncompliant systems. Suchlaw firms can always use a consultant to assist with the project.
HOW DO I FIND A CONSULTANT?
The starting point is to find consultants who have someexpertise in addressing the problem. Manufacturers and software makers will,many times, identify analysts and technicians trained to work on theirproducts. Computer retailers will also either provide their assistance oridentify those who can help. The Internet also is a convenient resource aswell.
Once identified, there are several considerations tonarrowing the choice of consultants who can offer services that can bestevaluate, and if appropriate fix, the systems use. Look for analysts andtechnicians who have been specifically trained and preferably certified to workon the systems involved. Consider their experience in dealing with Y2Kproblems. Ask for and check references. Inquire about timeliness,dependability, efficiency and cost effectiveness.
Financial wherewithal is also an important consideration.Determine whether the consultant has a bond or insurance to protect customersin the event mistakes are made. Financial wherewithal is also an indicator ofwhether the consultant will still be in business when 2000 actually arrives.
Consider what the consultant proposes and its cost. Aproposal that lacks specifics can be expensive and unproductive. If the cost ofevaluating and, if appropriate, fixing the system is too high, a bettersolution may be to replace or upgrade the system with Y2K compliant hardwareand software. (Be sure to consider the cost of computer downtime and associatedattorney downtime when evaluating the proposal.)
Once a consultant is selected, the next step is to confirmthe terms of the consultation. Documentation of the contractual agreementshould at a minimum include the following terms:
WHAT IF I JUST UPGRADE?
Some attorneys have decided that the task is toooverwhelming and their systems too old to fix. As a result, the conclusion isto upgrade their systems. This can be an effective solution subject to certainkey conditions.
Understand that there is a difference between upgrade andreplace. An upgrade may involve as little as adding certain hardware orsoftware to enable the system to perform faster and do more. However, theaddition of new hardware or software does not make an otherwise noncompliantsystem any more compliant. The greater likelihood is that the old hardware orsoftware do not make an otherwise noncompliant system any more compliant. Thegreater likelihood is that the old hardware and/or software will infect thenew. An upgrade, unless specifically represented as making a designated systemY2K complaint, is not a solution.
There are two options available for replacing existinghardware and software. Initially, there is the purchase option. This involves actuallybuying new hardware and software. The benefit of this option is that the lawfirm owns the system. The downside is that if something goes wrong, the lawfirm owns the system.
Then there is the lease option. Under this scenario, thelaw firm does not own the equipment and software. The benefit is that operationof the system is ultimately someone else's problem. The downside is,notwithstanding a sizable capital investment, the law firm owns nothing.
Regardless of whether the law firm decides on a purchaseor lease, it is important that the law firm get certain guarantees,representations and warranties. It is nonsense to purchase or lease a newsystem without adequate legal assurances that it's Y2K compliant.Although most experts in the industry assume that new systems are Y2Kcompliant, no attorney should take that risk. Instead, in purchasing or leasingthe system, the question should specifically be asked, "Is this system,including all of its component parts and software, Y2K compliant?" If so,this assurance should be put in writing. In addition, there should be specificagreements regarding what rights the law firm has if the system is not Y2Kcompliant.
In addition, there should be assurances that the system isimmune to infection by noncompliant systems. Specifically ask, "Whathappens if external systems that the system interacts with are not Y2Kcompliant?" The important thing is to ask the question and get specificanswers. Do not assume anything. No question is too stupid to ask. No possibilityis too remote to contemplate.
Also, put the system to the test. Quality manufacturersand software makers will permit customers to "test drive" theirsystems. There is no better way to see if a new system fits than to see if itcan perform the tasks required for the operation of the law firm.
In addition to specific assurances concerning compliance,find out who is responsible for addressing any problems encountered. One of themost frustrating aspects of new computer equipment is finding a real person totalk with regarding problems that develop. This is true generally. It is alsotrue for attorneys who purchase or lease new systems. It will especially betrue as 2000 approaches and arrives and demand for computer expertise increasesas problems increase.
Find out at the time of acquisition who will beresponsible for addressing problems. Obviously, one part of this process isacquiring a system from a supplier that will still be around in 2000. Anotheris actually testing the procedure to determine if there will really be someonethere to address problems when they occur.
WHAT ABOUT EVERYONE ELSE'S COMPUTER?
Obviously, there is little that attorneys can do to makeothers ensure that their systems are Y2K compliant. On the other hand,attorneys can take steps to identify who is compliant, reduce the risk fromthose that are not, and minimize liability for allegedly not doing an effectivejob of protecting clients.
In identifying who has versus who has not, third partiescan be divided into three categories: financial institutions, vendors andclients. The risks associated with each are much different.
Financial institutions affect attorneys in a multitude ofways. They are the holders of clients' escrow funds. They provide thefinancing necessary for the operation of the law firm. They provide a secondset of records of financial transactions, payroll, deposits, disbursements,etc.
Fortunately, for most financial institutions (certainlythose chartered by the Federal Reserve Board, insured by the FDIC or regulatedby the federal government) there are Y2K compliance disclosure requirements.
Lists of compliant and noncompliant financial institutionsare available from the federal government and on the Internet. In addition, a simplephone call to the financial institution will generally yield the answer. Giventhe seriousness of the financial aspects of the law practice, writtenconfirmation of Y2K compliance should be obtained. If written confirmation thata financial institution is Y2K compliant cannot be obtained, the law firmshould transfer funds to a Y2K compliant institution.
Unfortunately, it is not easy to verify the status ofvendors. For vendors of such utilities as telephones, electricity and naturalgas, government regulations in many jurisdictions require Y2K compliance. Thebest source for determining Y2K compliance is to contact the institutiondirectly or visit its Web site.
For smaller vendors, many businesses have developedquestionnaires asking whether their systems are Y2K compliant. Some attorneysplan to disconnect their internal systems from the vendors' systems untilthere is confirmation that these systems are Y2K compliant. Because the Y2Kproblem can affect a system well in advance of Jan. 1, 2000, it is notsufficient to simply disconnect from noncompliant vendors on Dec. 31, 1999. Ifthe computer designates a date on or after Jan. 1, 2000, and is not Y2Kcompliant, the Y2K problems will occur even if the designation occurs well inadvance of 2000.
As harsh as it sounds, another solution is to select newvendors that can provide written confirmation of Y2K compliance.
For clients, the problems are different. In addition tothe possibility of infection by noncompliant client computer systems, lawyersface the risk of liability to clients for failing to advise them regarding therisk. This is especially a problem for attorneys who assist clients in mergersand acquisitions, who perform due diligence investigations, who interact withthe governmental agencies on behalf of the client, and who participate infinancial audits with clients.
The risk can, however, extend well beyond the expectedproblem practice areas. For example, a plaintiff's personal injuryattorney faces potential exposure when the structured settlement checks stopcoming after Jan. 1, 2000, because the insurance company involved was not Y2Kcompliant. Undoubtedly, the client will insist that it was the attorney'sresponsibility to ensure that the company was Y2K compliant.
Reducing the risk involves two different concepts with twocompletely different purposes: helping the client and protecting the attorney.Although there is some overlap, the goals of the two should not be confused.
Helping the client principally focuses on reducing therisk that the client will have a problem. Obviously, the attorney'sability to control what the client does will vary from client to client.However, the simple process of raising the client's awareness of theproblem and potential sources for solutions increases the likelihood thatcorrective action will be sought. At a minimum, the greater awareness, promptedby questions from the attorney, reduces the chances of "Why did you nottell me about this problem?"
Start by determining if the client has a problem and, ifso, how bad that problem is. Solutions can range from hiring a consultant(subject to the considerations discussed above), to replacing the systemthrough lease or purchase. It is critical that the client has an action planwith specific deadlines for completion. Otherwise, like most other problems,the systems issues will not be addressed until they become real problems. Ofcourse, by then, it could be too late.
For clients who engage in mergers and acquisitions, openlydiscuss the Y2K problem. Potential merger or target acquisition candidatesshould be evaluated for Y2K compliance. If this task is outside of theattorney's expertise, and for most attorneys it is, arrangements shouldbe made for the retention of competent consultants who can provide theinformation needed. Preferably, the client hires the consultant directly, thuseliminating any suggestion that the attorney is "passing on" thesufficiency or accuracy of the consultant's evaluation.
Attorneys may also want to suggest appropriate disclaimerlanguage for clients to include in their agreements. This language should notonly be included in documents generated in connection with mergers andacquisitions, but also contracts with vendors, customers and others. Broad disclaimerlanguage has been drafted by the Insurance Services Organization foreliminating any coverage under certain policies for claims based directly orindirectly on a Y2K problem. This language is a good starting point fordrafting similar language for the attorney to use in drafting language forinclusion in client contracts.
Another area for special focus is insurance. Notsurprisingly, much is being written in the insurance industry about Y2K issues.Given total absence of any clear-cut answer at this time, the safest course forthe attorney is to shift the responsibility for addressing the issue ofinsurance for Y2K losses and/or liability to the insurance broker for theclient. At a minimum, the comprehensive general liability, directors andofficers liability, ERISA, professional services and umbrella/excess coveragesshould be reevaluated.
The most important part of the attorney's role inassisting clients with the Y2K issue is understanding and communicating thelimitations on the attorney's Y2K role and expertise. Unless lawyerspractice in a unique area such as computer law or intellectual property, it isunlikely that their understanding of the issues associated with Y2K will besufficient to provide any meaningful assistance to the typical client otherthan to possibly confuse them.
Given this limitation of expertise, attorneys shouldspecifically disclose in their engagement letters or fee contracts thelimitations of their representation. The price of silence is just too great.For the attorney who does not address the issue, it is almost certainly assumedthat Y2K issues to the extent involved in the matter at issue, are included,not excluded, from the services the attorney has agreed to provide.
Generally, the following language can help eliminatemisunderstandings regarding what services the attorney has agreed to providewhen it comes to Y2K issues:
The firm does not represent you in connection with anyissues or matters concerning "Y2K," year 2000 issues, or relatedissues involving computers and 2000. To the extent you seek advice in thisarea, you should retain the services of a professional competent to provideassistance in this area.
In addition to including this disclaimer in the engagementletter or fee contract, attorneys should follow this limitation on the scope oftheir representation. Attorneys should not give advice in the area unless theyare specifically competent to provide assistance in the area.
Moreover, in performing legal services, attorneys shouldbe careful not to inadvertently assume responsibility for that which they havedisclaimed at the outset of the representation. For example, in SEC disclosurestatements, there may be representations regarding the entity's Y2Kcompliance. The accuracy, completeness and reliability of those representationsshould be left to those competent to verify the accuracy, completeness andreliability of the statements. If an attorney must sign off generally todisclose statements, the attorney should obtain for the files written confirmationon those issues from a competent professional on whom the attorney has relied.
This does not mean that there are not things that anattorney can do to help clients cope with the Y2K issue. There are. Largely,unless the attorney is uniquely qualified, the attorney should limit assistanceto asking clients the broad questions, providing Web site resources, suggestingdisclaimers, and facilitating solutions. On the other hand, the attorney shouldnot provide advice, answers, or solutions to clients concerning Y2K unlessqualified to do so.
Some of the questions an attorney may want to considerasking are:
- Areyou prepared for 2000?
- Haveyou verified that your vendors, customers, suppliers, and financialinstitutions are Y2K compliant?
- Haveyou discussed with your insurance broker whether you have coverage for Y2Krisks including your comprehensive general liability, directors and officers,professional services, and umbrella/excess coverages?
- Doyou have a written plan?
- Haveyou designated a person responsible for Y2K compliance?
- Doyou have a contingency plan for emergencies?
Beyond asking the questions, the attorney's roleshould be limited to facilitating the solutions identified by competentprofessionals in the computer area. Anything beyond that involves risks toogreat for the average practitioner to accept.
HOW DO I GET STARTED?
The most important thing is to begin and begin now!Probably the best starting point is to designate a person, or assemble a team,to assume responsibility for the task. The initial inquiry should be on whetherthe firm has a problem and, if so, how best to address it. There should be nohesitation in bringing in professionals to assist in the process. Obviously,the considerations discussed above should be taken into account in selecting aprofessional to assist with the project.
Once the scope and nature of the problems have beenidentified, the next step is to develop a plan. The plan should not onlyoutline the steps to be taken to ensure Y2K compliance, but also the steps topreserve confidential information and maintain sensitive data (e.g., attorneywork product, escrow records). It should also specify how Y2K compliance willbe confirmed and documented. In developing the plan, partners, associates, secretaries,and administrative staff should be consulted. There should be an open and frankdiscussion of the possibilities of business disruption on both the firm and theindividuals.
Different areas of practice will involve different risks.Trial lawyers need to address the possible impact to calendar control systems.Corporate lawyers need to think about steps to be taken in connection withacquisitions and mergers. Estate lawyers want to focus on preservation of formsand computer stored data. All lawyers need to be sensitive to their escrowresponsibilities.
There also needs to be a contingency plan. This includesback up to the calendar control system. It also likely involves hard copies offorms, financial records and other data stored on the computer.
Finally, there are two preventative steps that should beremembered. All engagement letters or fee contracts should disclaim anyrepresentation in connection with Y2K issues. And, to avoid potential cash flowproblems, serious consideration should be given to insisting on retainers.
The year 2000 brings with it uncertainty and challenges.Among the challenges at the outset will be computer glitches that could effectvirtually every aspect of life. But, there are things that can be done.
Preparation begins with understanding the risks, seekingthe right help, making the right changes, and taking the right preventativesteps. While there is certainly no foolproof solution, these steps, taken earlyenough, can help attorneys survive the advent of the next millennium.