Y2K Compliance and Records Retention.

• Author: MONTANA, JOHN C.

The so-called Y2K problem has gone through a long cycle of maturation. It began as a curiosity, was discussed in computer circles as an insider issue, and passed to the outside world, first as a scare story, which then transmuted into a legitimate business issue. It grew into a matter requiring full-blown government hearings and extensive business auditing and compliance, and billions of dollars to remedy. As time drew nearer, it became something of an emergency. Now, as time grows ever so short and we are finally persuaded that life will, in fact, continue, we have at last begun to think beyond the dreaded date itself and consider life afterwards.

We have begun to ask weighty questions such as "Gee, will we get sued if our Y2K compliance isn't perfect? .... What kind of Y2K compliance documentation do we need and for how long?" Such questions are themselves proof of a fully mature crisis. Nothing less would provoke them, and only our expectation of surviving more or less intact permits us to care about the answers.

Boiled down to its essentials, the legal risk is quite simple: your computer makes a Y2K error that botches some sort of important transaction and you get sued for the error. If the error costs the plaintiff a great deal of money or causes great injury, you get sued for a great deal of money. If the computer makes many such errors, you get sued many times. If many errors cost many people much money or injure many people, you wind up getting sued for a really large amount of money. If you don't realize all of this until the lawsuits start coming in, you are lost, since it is much too late to fix anything.

In practical reality, the situation is somewhat more complicated. The nature of the transaction botched, the identity of the other party, the legal theory underlying the suit, and other matters all play into the outcome. It is also possible to be the plaintiff, even though your Y2K compliance is the issue.

Potential Plaintiffs

The first step in analyzing the risk is to determine precisely who is the plaintiff. This could be any of a number of parties, some dependent upon the nature of the transaction, some not.

In the case of the computer system at a hospital that fails due to a Y2K bug, any number of parties are in one way or another potentially "injured" by such a situation. If patients in the hospital suffer new or aggravated injuries or substandard care due to the bug, they are obviously potential plaintiffs -- their "injury" is obvious.

If the system is used for accounting as well as patient management, vendors, customers, and other business partners (including partners of partners, customers of customers, and other remote parties, since any serious problem may cascade through the system for a long distance) may also sue; nonpayment, non-delivery of services, and other contractual matters are also "injuries" that may be litigated for compensation.

And this is not the end of the list. If the facility receives government funds through Medicare, Medicaid, or other federal programs, there might be liability if the failure to repair the bug violated some statutory or regulatory requirement attached...