Y2K: Implications for
Directors, Officers, and their Insurers – Archived Article

1999

This article was written by Joseph P. Monteleone, Esq., senior vice president and claims counsel for Reliance National. It is reprinted from a National Underwriter book, D&O: Guide to Risk Exposures and Coverage, by Clarance E. Hagglund, J.D., Britton D. Weimer, J.D., and Mr. Monteleone, copyright 1999.

At this point in time, virtually everyone in the American business community with a “need to know” should be aware of what has commonly become to be known as the Year 2000 Problem, Y2K, or the Millennium Bug.  For ease of reference in this article, we will refer to the issue as Y2K.

For those of you who do not regularly read the Dilbert comic strip or who have spent the last few years on a monastic retreat in the Himalayas, the Y2K problem is one which essentially resulted from the use of two-digit year fields in computer software codes and in embedded silicon chip technology.  As a result, the software and/or chip either cannot recognize “00″ as being 2000 as opposed to 1900, or it does not recognize it at all.  As a result, there may be a “crash” of data, miscalculations, shut down of machinery, or even more catastrophic events.  While we have a fairly good handle on what litigation exposures may ensue, there remains a wide disparity of opinion as to the frequency and severity of the Y2K failures that actually will take place. Particularly with embedded chips, we may not have definitive answers until the clock ticks past midnight on Dec. 31, 1999.

The focus of this article will be on the particular exposures of corporate officers and directors to Y2K problems and the implications for them, their corporations, and their Director's and Officer's (D&O) Liability insurers.

The Exposures Defined

The Gartner Group, a leading consultant and expert in this area, has projected that globally the cost of remediation for Y2K issues will be in the range of $300 to $600 billion dollars. (Best's Review, P/C Edition, November 1998 at 33, hereinafter Best's.) Lloyd's of London, accounting for the likelihood of Y2K-related litigation in addition to the remediation effort, has opined that the costs may exceed $1 trillion. (Insurance Litigation Reporter, March 15, 1998, at 164.) According to a spokesperson for a major United States D&O insurer, Y2K is “the emerging issue in directors' and officers' liability today.” (Best's at 33.)

The onset of Y2K litigation began in 1997 with the first customer and consumer class actions against software distributors and creators that had non-Y2K compliant products (Insurance Litigation Reporter, March 15, 1998, at 164.)   Not surprisingly, the first suit involving coverage for a Y2K-related claim followed in late 1998. (Cincinnati Insurance Co. v. Source Data Systems and Pineville Community Hospital, N.D. Iowa (No. C-98-0144) reported in Mealy's Year 2000 Report December 1998.).

Corporate officers and directors may have significant exposures under federal laws relating to securities fraud and corporate mismanagement, as well as similar laws in other jurisdictions addressing duties owed to shareholders and the corporation.  Director and officer liability readily can be perceived under three basic scenarios.

First, there is the problem of disclosure and potential securities fraud liability arising from incomplete, inaccurate, or non-disclosure.  To the extent addressing the Y2K problem will have a significant financial impact on the corporation–either in terms of the cost of the prophylactic fix or in terms of remedying damage that may occur in the future–such impact must be timely and adequately disclosed to the corporation's shareholders.

Second, there is the problem of mismanagement.  The potential for corporate mismanagement liability, most likely to be brought in the form of shareholders' derivative actions, is great if management does not address the Y2K problem in a timely or effective manner.  Although in many respects the Y2K problem appears still to be a future one, it may have already arrived for many corporations because there may not be enough time for a cost-efficient and effective fix. Plaintiff law firms are already preparing for shareholder derivative actions in this area.  For example, Milberg, Weiss, Bershad, Hynes & Lerach, which is a prominent firm both in the area of securities fraud class actions and shareholder derivative suits, began assembling a Y2K litigation “team” in 1998.  Indeed, that firm's web site advertises that “[p]ossible targets of shareholder litigation are corporate directors and officers who fail to disclose the costs of fixing the problem to shareholders.” (Best's at 34.)

Finally, as we have already witnessed in about two dozen suits filed to date, there may be exposure to third parties such as customers of the corporation. While this litigation has been and should be largely confined to actions against the corporate defendant alone, there can be instances where a corporate officer or director will be named under a fraud theory or with allegations of aiding and abetting in the breach of a contract by the corporate defendant.  Although there will be many defenses to such claims, which will vary among jurisdictions, this does not discount the possibility that such actions will be brought. When brought, they will require significant defense expenditures before the individual director or officer is extricated from the litigation through motion and/or settlement.

The Y2K problem is especially significant in the insurance industry where multi-year policies, annuity contracts, and other products already have been issued with expiration dates in the year 2000 and beyond and that require calculations based upon actual dates in the 21st century. Arguably, the Y2K problem first may have surfaced in the area of life insurance where programmers in the early 1970s had to account for annuities and life contracts running past the year 2000.

Even in industries where the problem is not yet acute, Y2K compliance may have to be achieved well before December 31, 1999.  For example, many financial institutions in the United States had to have Y2K programs in place no later than December 31, 1998.  Compliant software has been defined by the financial regulators to be that which contains four-digit years in its code and which has been tested for efficacy.

The business judgment rule typically offers directors and officers a defense to allegations of mismanagement.  Although the application of this rule varies from jurisdiction to jurisdiction, it generally provides a judicial presumption that a director or officer, in rendering a business decision, acted in good faith and in the corporation's best interests.  The presumption can be overcome only upon a showing of gross negligence or more culpable conduct.  It should also be borne in mind that the rule only applies to affirmative errors and not to omissions. Thus, there must be a business decision before the business judgment rule will attach.  Should management simply ignore a Y2K problem, business judgment rule protection will not be afforded.

Recent Statutory and Regulatory Developments

The Y2K litigation to date has essentially been premised upon alleged violations of existing statutory and case law.  Nonetheless, directors and officers, corporations, and their insurers need to be particularly concerned with the following recent developments.

The Year 2000 Information and Readiness Disclosure Act

This federal act (the Act) was signed into law by President Clinton on October 19, 1998. Enacted ostensibly in an effort to facilitate the public sharing of information among companies with regard to their Y2K “readiness”, the Act is intended to allow the American business community and public at large to benefit without undue fear from anti-trust and other claims of liability. Some states also have begun to enact similar laws. See e.g., Cal. Civ. Code Sec. 3269 for California law in this regard.

In many respects, the Act is intended to preempt much state law and rules of evidence in order to provide a nationwide “safe harbor” for Y2K statements and disclosures.  However, the Act is not intended to apply to financial statements and other disclosures filed with the U.S. Securities and Exchange Commission (SEC) or statements or omissions with respect to the sale or purchase, or offer to sell or purchase, securities.  As such, it does not preempt existing federal securities law and perhaps state securities laws as well.

The standard for liability under the Act for a Y2K statement alleged to be false or misleading is essentially (1) actual knowledge of the false, misleading, or inaccurate nature of the statement, (2) an intent to deceive or mislead, or (3) reckless disregard as to the accuracy of the statement.  The burden of proof rests with the plaintiff. It must be established by “clear and convincing evidence” that the Y2K statement made was fraudulent or was made in bad faith.  This burden is more difficult to satisfy than the mere “preponderance of the evidence” standard that applies in most civil litigation, but not as difficult as the “beyond reasonable doubt” standard that generally applies in criminal matters.

Although the Act provides disclosure protection, it does not impose any duty or obligation to provide information or notice about a company's Y2K compliance efforts. It also would not affect any contractual or warranty provisions that already exist regarding products or services.

In addition to protecting Y2K disclosures made between October 19, 1998, and July 14, 2001, the Act also enabled companies to “reclassify” statements made between January 1, 1996, and October 19, 1998, as a disclosure protected under the safe harbor otherwise provided under the Act and as discussed above. The deadline for such reclassifications was December 3, 1998.

SEC Release Nos. 33-7558 and 34-40277

Because The Year 2000 Information and Readiness Disclosure Act does not protect statements filed with the SEC or otherwise issued in connection with a purchase or sale or offer to purchase or sell securities, one must look to guidance from the federal securities laws and pronouncements from the SEC in this area.

To date, there has been no known securities litigation involving Y2K, and the applicable statutes and case law are silent with regard to the issue.  Nonetheless, the SEC has spoken a number of times since 1997 on the issue, the most recent being in the form of releases published on July 29, 1998, and expanded upon by the issuance of a Frequently Asked Questions (FAQs) document on November 9, 1998.

The releases are intended to guide corporations as to whether they are obliged to make Y2K disclosures in their 10-Qs, 10-Ks, and other filings with the SEC. They also provide some guidance as to what should be included in a Y2K disclosure.

In effect, virtually every public company must make a Y2K disclosure if it follows the guidance of the SEC because disclosure is required if either of the following two circumstances exist.

1.     The company's Y2K assessment is incomplete; or

2.     The company has determined that Y2K consequences will materially affect its business, operational results, or overall financial condition without regard to any efforts undertaken to avoid or mitigate those consequences.

Thus, even if a company may be able not to reasonably make any firm conclusion with respect to circumstance (2) above, most companies will not be able to state that their Y2K assessment is complete until some time late in 1999, if at all.

The SEC has stated its disappointment in the somewhat boilerplate disclosure statements that began appearing early in 1998.  Directors and officers should be aware that “meaningful cautionary” language must accompany a forward looking statement such as may relate to the Y2K issue in order to gain protection under the statutory safe harbor provisions of the Private Securities Litigation Reform Act of 1995.  Directors and officers, however, should also be aware that a misrepresentation of the company's current state of readiness will typically not qualify for safe harbor protection.

What must be contained in a Y2K disclosure according to the SEC?

1.     State of Readiness. This would include the company's own preparedness as well as what they know about key third parties such as vendors with whom they do business.  There should be specific disclosures with regard to the extent of testing and verification.

2.     Financial Cost.  This would essentially be the costs, both internal and external, of remediation. Interestingly, the SEC recognizes that a company may be able to purchase specific insurance for its Y2K exposures, and that is a factor it should consider and disclose with respect to its anticipated exposures.

3.     Risks.  According to the November 9, 1998, FAQs, a company should disclose its “most reasonably likely” worst case scenario with regard to Y2K.

4.     Contingency Plans.  What will the company do if all of its best efforts, as well as those of others, fail?  As companies have become immersed in their remediation efforts, few have begun the development of serious plans to deal with the contingency of a whole or partial failure.

D&O Insurance and Y2K

There are three key points to remember with regard to the Y2K problem and D&O insurance.

1.     There is nothing about a Y2K claim per se that would take it outside the scope of coverage of a D&O policy.

2.     In the case of a securities fraud class action or shareholder derivative action alleging mismanagement arising from a Y2K situation, there likely would be coverage under the D&O policy. If the policy provided “entity coverage” for the corporation, that coverage would extend to not only the directors and officers, but also the corporation, but only to the extent of the corporate entity coverage.

3.     In the case of a “third party” claim, such as one brought by a customer or governmental regulator, there may be coverage under the D&O policy subject to an allocation.

Given the fact that there have been no known Y2K claims to date against directors and officers that have been the subject of a D&O insurance analysis, it is difficult to speculate as to how the policies will apply.  At least one insurer has introduced a policy form that provides a “pre-set” allocation in the event of a third-party Y2K claim.  The allocation percentage in such cases is typically 25/75, i.e. 25% to the directors and officers and thus the amount insured under the policy.  The alternative, offered by the majority of D&O insurers, is to simply leave these claims open to an allocation negotiation when and if an actual Y2K claim is presented against the policy.  In such cases, there is a possibility for the policyholder to negotiate either better or worse than the 25/75 pre-set dependent upon the operative facts and allegations of the claim.  Thus, the trade off is essentially one between the certainty of the pre-set and the possible upside in a negotiated allocation once the claim is presented.

To the extent Y2K claims are brought by parties allegedly suffering bodily injury or property damage, it must be recalled that the D&O policy contains a rather straightforward exclusion for bodily injury and property damage that should apply to such claims.

Other exclusions and provisions may also apply, including the “other insurance” provision which may render the D&O policy excess of any other available insurance.  Discussion of coverage issues under other policies such as commercial general liability (CGL) and property insurance has taken place in numerous articles written in anticipation of the coverage battles reasonably sure to follow the emergence of Y2K claims.

In the few situations where D&O insurers have sought to employ a Y2K exclusion, one similar to the following Reliance Insurance Company version has been employed.

It is agreed that Section V., EXCLUSIONS, shall be amended to include the following:

for, based upon, arising from, or in any way relating, directly or indirectly, to any Year 2000 Problem;  provided that this exclusion shall not apply to a Securities Claim;

Solely for purposes of this endorsement, the following additional definition Shall apply:

“Year 2000 Problem” means the failure or inability of any computer, microprocessor, software, operating system or other computerized electronic equipment owned or operated by the Company or any other organization to accurately read or process any date-related information or data contained in a two digit date field, including but not limited to:

(i)     any date in the year 1999;

(ii)     any date on or after January 1, 2000; and

(iii)     the fact that the year 2000 is a leap year.

It is further agreed that the definition of “Loss“, set forth at Section IV.(J), shall not include any cost or expense in evaluating, correcting, updating, rewriting, redesigning, repairing or replacing any computer, microprocessor, software, operating system or other electronic equipment in the possession of, operated on behalf of or in conjunction with the Company or any other organization, including any advice provided or disclosure disseminated in connection with or in relation to any of the foregoing.

All other terms and conditions remain unchanged.

Other Available Insurance

In addition to D&O, insurers expect to see claims presented under a number of other policies, including the commercial general liability (CGL) policies mentioned previously in this book.

Of course, potential coverage issues are numerous under the CGL with respect to Y2K. Aside from the possibility of a specific Y2K exclusion, contractual actions and intentional torts would not be covered. (See e.g. Wilmington Liquid Bulk Terminals, Inc., v. Somerset Marine, Inc., 53 Cal. App. 4th 186, 193, 1997.)

Further, the policy is generally limited to coverage for bodily injury and property damage claims, and not for claims of economic loss. If a court does find physical damage, there could be an argument that the property damage requirement is satisfied, but that is not a certainty and there have been only a few and conflicting decisions in this regard. (See e.g. Retail Systems v. CNA Ins. Cos., 469 N.W. 2d 735, 738, and Seagate Tech, Inc., v. St. Paul Fire & Marine Ins. Co., 73 P. 3d 370, 1995.)

Errors and Omissions (E&O) policies may be subject to claims if they have been issued to software and/or chip technology providers and their scope of coverage is broadly defined. Many E&O insurers, however, have been reluctant to write coverage for these providers, or are doing so only with a Y2K claims exclusion.

A recent Massachusetts case, albeit not Y2K related, illustrates how E&O insurance could respond to a breach of warranty claim against a computer consultant. USM Corporation v. First State Insurance Company, 652 N.E. 2d 613, 614-15, 1995.)

Alternate Dispute Resolution and Y2K

A number of large companies have signed a pledge to negotiate all Y2K conflicts between and among them.  They also have agreed to mediate the disputes should direct negotiations fail. These corporations hope to persuade their vendors, suppliers and customers to also sign the pledge. Mediation “may alleviate the potentially hysterical reaction [to the Y2K problems]“, according to a spokesperson for the Information Technology Association of America. (Wall Street Journal, November 30, 1998.) If a trend toward alternative dispute resolution develops and continues, it may reduce both the risk and costs of Y2K claims by third parties against corporations and their directors and officers.

Serious Exposures

Serious exposures to directors and officers surely exist with regard to possible Y2K exposures. The most serious will be in the area of securities fraud class actions and shareholder derivative litigation. Unfortunately, the Year 2000 Information and Readiness Disclosure Act may provide scant comfort in that it does not apply to actions under the securities laws, and because it protects only statements and disclosures–not liability arising from a Y2K failure in and of itself.  The SEC releases, while arguably helpful as guidance, certainly do not have the force of law. They therefore may be very much a two-edged sword.  On one hand, they instruct corporations as to how to make their Y2K disclosures; on the other, they furnish a roadmap to the shareholders and their counsel as to what may or may not be an adequate disclosure.

Fortunately, D&O insurance would appear to offer some real protection as long as insurers do not resort to widespread use of broad exclusionary language such as that set forth above. Given very competitive market conditions, this is not likely to occur before such exclusions can have any meaningful effect. That is not to say that the D&O policy will always and completely respond, particularly in light of exclusions for bodily injury and property damage as may be applicable under certain fact scenarios.

The insurance industry has faced a number of catastrophic claim situations over the past twenty-five years, including the mass torts of asbestos and breast implant litigation, as well as the hazardous waste claims brought by governmental agencies and private parties.  In those cases, however, insurers and policyholders only began to formulate their coverage arguments after the claims arose. Y2K is somewhat unique in that the insurers and policyholders alike have begun to stake their positions long before the inception of any significant claim activity. How well those positions, espoused in the context of hypothetical and speculative claim situations, play out in the world of real claims and real coverage disputes will be an interesting drama to watch unfold.

Note

Since this article was written, several suits alleging securities violations involving Y2K have been filed, but they either have been settled out of court or still are in process.

In addition, the President signed the Y2K Act into law on July 20, 1999. Among other provisions, the act provides a 60-day remediation period to solve Y2K problems and narrows the extent of an aggrieved class in a class-action lawsuit.