Year 2000 Vendor Compliance Programs and Legal Audits

• Publication year: 1998
• Pages: 99

27 Colo.Law. 99 Colorado Lawyer 1998.

1998, October, Pg. 99. Year 2000 Vendor Compliance Programs and Legal Audits

---

99

Vol. 27, No. 10, Pg. 99

The Colorado Lawyer
October 1998
Vol. 27, No. 10 [Page 99]

Specialty Law Columns
Technology Law and Policy Review
Year 2000 Vendor Compliance Programs and Legal Audits
by Kelly Ann Breuer Weist

Editor's Note: This is the first in a series of six articles on Year 2000 topics that will appear in this column through the August 1999 issue. Upcoming articles will cover litigation, insurance issues, government contracts, class actions, and legislative response. See also Patterson "Advising Clients Regarding Year 2000 Compliance," 27 The Colorado Lawyer 5 (Sept. 1998)

As the millennium approaches, business lawyers will be confronted with one likely question from their clients: What do I need to do to make sure that my business is not affected by the Year 2000 ("Y2K") problem While most large companies have initiated Year 2000 compliance programs and legal audits, many small- to medium-size companies still have not begun those efforts, perhaps because they do not know where to begin. Although no one quite knows what the impact of Y2K will be on business, counsel can assist clients in minimizing the harm Y2K can cause. This article describes how counsel can minimize the harm by encouraging clients to implement Y2K compliance programs and legal audits

The "Millenium Bug"

The problem, or "bug," arises from a deliberate design decision made by programmers in the early days of computers. Due to the high cost of memory, programmers saved space wherever they could. One common method was to designate the prefix "19" in the digit field as the year. These "legacy systems" were utilized as the basis of other systems and programs. Therefore, myriad programs, applications, hardware configurations and embedded chips may have performance problems when the clock rolls around to January 1, 2000.

All electronic systems need to be inventoried and reviewed. Do not assume that the client's business is immune from a Y2K failure. It was a faulty assumption that created this mess in the first place.

Developing a Plan

The client's first step in conducting an audit is to develop a Y2K plan. At a minimum, this plan should consist of the following: (1) an inventory of programs, systems, and dependent products that could be affected by Y2K; (2) a determination of which systems and products are critical to ongoing business operations; (3) a "compliance program" in which client or counsel contacts vendors to determine if their products or services are Y2K compliant (in this process, the client will need to make an initial determination of where and under what terms it acquired the systems and products under consideration); and (4) a legal audit to assess the client's rights of recovery against vendors of products that are not Y2K compliant.

Y2K Inventory

Most businesses should start their inventory by listing all the computers they have in operation. To do this, the client could make a spreadsheet identifying the type of equipment, the applications or programs that run on it, when it was obtained, how it was obtained (such as through a contract or purchase order), the vendor it was obtained from, and whether any part of the equipment or applications were designed specifically for the client or acquired with the advice of a consultant.

In addition, an important consideration for certain applications and databases is whether they are called on to make projections. If the client uses a program that projects out past December 31, 1999, such as those used for credit card authorizations, loan amortization, or dates of service for pension benefits, the client will need to know the program's "time horizon to failure." From this, the client can determine when the program is expected to experience its first projection past December 31, 1999.

As with PCs or mainframes, clients must be careful to identify anything that has an embedded chip, such as fax machines, internal phone systems, microwaves, elevators, and thermostats. Mass market computer chips are used in everything from watches to cars to pacemakers. Generally, embedded chips cannot be reprogrammed, so either the chip or the item that contains the chip will need to be replaced. Few of the mass-marketed chips will have Y2K bugs, but without contacting the manufacturer, there is no way to know for certain in advance of a failure.

The client also needs to identify any infrastructures or outsourced business functions on which it is relying including "smart" office buildings, transportation, telecommunications, and electricity. This is a critical consideration. Is it essential for the client to travel by air to meet with customers Is the client's cell phone crucial to the business Can the client live without data transfer from suppliers of information Even if everything in-house is shipshape, the client's...