Sep 18, 1998
Remediation - Contracting with the Year 2000 Service Provider
by Gary Dunn

CHECKLIST

CONTRACTING WITH THE Y2K SERVICE PROVIDER


The Y2K problem is a problem of risk - the risk of failure of systems that are critical to the continuity of essential functions of an organization. Risk management is a process of identifying, assessing and prioritizing these critical risks, followed by action and a contingency plan. Risks are prioritized based on the probability of their occurrence, their potential impacts, and the immediacy of the threat.

The Y2K problem is essentially a management challenge. It requires a sense of organization and diligence much like the skill that lawyers bring to the negotiation and consummation of business transactions.

Y2K checklists also provide an outline for the creation of company records that can later assist counsel in defending the company against claims alleging that it or its management were negligent or breached a contract in a manner that permitted Y2K defects in a program, system, application or network that caused damage to a third party.


1.0 OBJECTIVE

To make the client aware of the potential seriousness of Y2K issues, including issues relating to insurance, financial disclosure, officer's/director's liability, mergers and acquisitions, protection of intellectual property, labour and employment, and solicitor client privilege. Additionally, to fix and ensure subsequent compliance of systems with respect to Y2K dating and to shift the cost of repair where possible, using a risk management approach.

2.0 ASSESSMENT

2.1 Objective: Identify systems and processes critical to organization, including remote locations, out sourcing arrangements and in particular payment system providers, and prioritize repair. Review technical audit performed by IS department with management.

2.2 Objective: Availability of Y2K upgrade? Obtain legal assurances of availability of upgrade if not currently available, and consider contingency plan.

2.3 Objective: Assess potential obligations, liabilities and opportunities for cost recovery from third parties, including vendors, insurance companies and third party indemnities. Review:

(a) documentation relating to acquisition of hardware and software, including purchase agreements, software development agreements (including data base design), requests for proposals, proposals, side letters, operating manuals, public disclosure documents filed by vendors, and advertising by vendors for specific provisions relating to express warranties, Year 2000 compliance, force majeure, indemnification, limitations of warranties/liabilities, and shortened limitation periods.

(b) license agreements and where possible, upstream distribution agreements/sub-licenses from suppliers.

(i) Existence of specific or implied warranties. Have they expired?

(ii) Is the vendor willing to fix the problem? Are there specific rights to modify the software.? Access to source code? Rights to modify without consent? Ability to transfer rights to modify to different solution provider?

(iii) Does the vendor's distribution agreement with the manufacturer provide an indemnity of the vendor that can be relied on by the customer?

(c) maintenance and support agreements for specific obligations to fix Y2K problems and whether the vendor's obligations include the repair of anticipated Y2K problems.

(i) Review definitions to determine if Y2K compliance is defined as a bug/defect or customer requested enhancement.

(ii) Consider right of vendor to terminate prior to obligation to repair arising.

(iii) Ensure that future maintenance and enhancements are warranted as Y2K compliant.

(iv) Review terminated agreements for other relevant provisions.

(d) out sourcing agreements for both rights and limitations of liability. See also 2.3(a) above.

(e) agreements with trading partners and other non-vendor relationships for compliance obligations. Consider the potential for these parties becoming insolvent.

(f) merger and acquisition agreements.

(g) insurance contracts including directors' E & O, general, business interruption, product liability.

2.4 Objective: Assess cost and timing to determine whether to replace, repair or ignore. Consider strategic replacement following January 1, 2000.

NOTES: Consider issues of solicitor-client privilege to minimize availability of audit results in the event of litigation. Consider impact of choice of law clauses and the possibility of forum shopping to obtain the best legal entitlement. Ensure that appropriate non-disclosure agreements are obtained prior to commencing the audit process. Respond appropriately to Y2K requests for information from others.

3.0 REMEDIATION

A fundamental decision must be made as to whether the appropriate repair is for a deliverable solution or for consulting services. In either case, the repair may involve a simple replacement of hardware or software, or the rewriting of code.

3.1 Objective: Partially finance replacement of hardware and software by use of accelerated write off provided for by Revenue Canada.

3.2 Objective: Protect existing proprietary rights through use of non-disclosure agreements. Provide for knowledge transfer of new and modified work.

3.3 Objective: Ensure that existing warranties will not be voided by performance of remedial work.

3.4 Objective: Allocate responsibility for repairing recurrence of Y2K problems due to non-compliant data or programs.

3.5 Objective: Allocate responsibility for unexpected problems occurring in system as a result of repair efforts.

3.6 Objective: Ensure proper vendor attention to contract by specifying level of staffing, contingency plans, and use of accelerated dispute resolution (including participation of specified adjudicators), termination rights, incentives and liquidated damage clauses. Ensure choice/approval of consultants/employees working on project.

3.7 Objective: Differentiate between leased, purchased and shared hardware and software systems to identify appropriate remedy. If relying on hardware or software replacement, obtain legal assurances of delivery and installation.

3.8 Objective: Conclude agreement with service provider incorporating objectives 3.1 through 3.7 above and also covering the following issues:

(a) Defining the scope of services and allocating responsibilities between client and provider.

(b) Ownership/License - Ownership rights to modified software. Right to use and modify the system now and in the future. Allocating responsibility for obtaining rights to modify. Access to source code/source code escrow. Waivers of moral rights. Right to review agreements with vendor's independent contractors. License to use software for testing (in addition to underlying license) to avoid license restrictions relating to number of users, machine or site.

(c) Term - Ensure that warranty period extends beyond year 2000 where acquisition of hardware or software is involved.

(d) Applicability of warranties, both express and implied by Sale of Goods Act - fitness for a particular purpose, merchantability and title. Ensure clear statement of performance specifications/Y2K definition. See Appendix A for sample Y2K compliance representations. Minimize limitations of warranties. Consider when warranty expires. Consider applicability of International Sale of Goods Act. Consider extended or shortened limitation periods. If purchasing extended warranty or support, include rights to a compliant upgrade. Promises to repair may be of more practical use than money damages.

(e) Third party verification of compliance. Use of officers certificates.

(f) Payment. Right to withhold a significant percentage until tested and accepted. Consider availability of bond.

(g) Testing before, during and after repair. Ensure that any software, hardware, data (included converted data) and subsequent upgrades will be Y2K compliant. Allow for adequate time for testing.

(h) Responsibility for reoccurrence of problems due to transmission of non-compliant data.

(i) Backup and use of parallel systems during repair work.

(j) Time lines and progress reports. Due diligence by customer during repair work and whether this affects warranties.

(k) Exclusion or inclusion of collateral agreements.

(l) Indemnity.

(m) Force majeure. Expressly state that Year 2000 is not an excluded event.

(n) Applicability of US export controls, particularly if remedial work is being done offshore.

(o) Consider choice of law in the context of enforcement (forum and applicable law) and the nature of rights that can be obtained or are available by operation of law.


NOTES: The foregoing also applies to an acquisition of hardware and software, independent of the remediation process. Refer to software development, value added reseller and system integrator agreements for additional clauses and boilerplate.

4.0 TESTING

4.1 Objective: Test to ensure ability to receive, manipulate, store and exchange date data without contamination of communicating systems.

5.0 IMPLEMENTATION/CONTINGENCY PLANS

5.1 Objective: Acceptance by users following certification as Y2K compliant. Ensuring that data is not contaminated by non-compliant systems.

5.2 Objective: Anticipate and provide contingency plan for system failures following January 1, 2000 including:

(a) Manual systems.

(b) Disaster Recovery

APPENDIX A

SAMPLE Y2K WARRANTY

Alternate 1

The Vendor represents and warrants that each piece of equipment and software delivered or developed under this Agreement or Purchase Order ("Equipment and Software") is designed to be used prior to, during and after the calendar Year 2000 AD and that the Equipment and Software delivered or developed under this Agreement/Purchase Order will operate during each such period without error relating to date data, specifically including any error relating to, or the product of, date data which represents or references different centuries or more than one century.

Without limiting the generality of the foregoing, Vendor further represents and warrants that the Equipment and Software:

(a) will not abnormally end or provide invalid or incorrect results as a result of date data, specifically including date data which represents or references different centuries or more than one century;

(b) has been designed to ensure Year 2000 compatibility, including, but not limited to date data century recognition, calculations which accommodate same century and multi-century formulas and date values, and date data interface values that reflect the century; and

(c) includes "Year 2000 capabilities. Year 2000 capabilities means the Equipment and Software:

(i) will manage, calculate, sequence, compare and manipulate data involving dates, including single century formulas and multi-century formulas, including leap years and will not cause an abnormally ending scenario within the application or generate incorrect values or invalid results involving such dates; and

(ii) provides that all date related user interface functionalities and data fields include the indication of century; and

(iii) provides that all date related data interface functionalities include the indication of century.

If requested to do so by the Company, the Vendor will, from time to time provide the Company with the results of testing done by the Vendor on the Equipment and Software to verify that the Equipment and Software are Year 2000 compliant and capable in accordance with the terms of this warranty. Should the results of testing reveal that the Equipment and Software are not Year 2000 complaint in accordance with this warranty, the Vendor shall without charge to the Company, repair or replace the non-compliant Equipment or Software within the period of time to be specified by the Company. If such repair or replacement is not completed within the time specified, the Company shall have the right to have any necessary changes or repairs performed by itself and the Vendor shall reimburse the Company for any expense incurred thereby.

In the event of a breach of the Year 2000 warranty herein, and notwithstanding anything to the contrary in the Agreement/Purchase order, the Vendor shall assume all risks and responsibilities inherent to such warranty and shall indemnify and save harmless the Company and its customers from and against all claims, demands, suits, actions, or causes or actions, of any kind whatsoever, for direct or indirect damages, losses, injuries, death, property damage, claim and/or expenses resulting from this agreement, and shall also include all judiciary and extra-judiciary costs incurred by the Company arising from such breach.

Alternate 2

Article 1 - The Supplier further covenants, represents and warrants that during the period commending January 1, 1999 and ending December 31, 2000 (the "Year 2000 Warranty Period") each of the Systems and each component of the System and each Application which is delivered by the Supplier to the Customer pursuant to this Agreement, including without limitation, all computer and communication hardware, all software (including operating system software and application programs) and all files and data bases will properly and effectively processes, manage and manipulate data containing two and four digit year dates, including all years in the 20th and 21st century without any error or abnormal ending and without generating any incorrect value or invalid, inaccurate or erroneous result.

Article 2 - If the Customer notifies the Supplier in writing during the Year 2000 Warranty Period of any failure of any system, any component of any system or any application to process, manage or manipulate data in accordance with the requirements of Article 1, then the Supplier shall proceed promptly to correct the problem or problems at no charge to the Customer.


Source: Industry Canada (Strategis)
Strategis.ic.gc.ca/SSG/yk04403e.html

Alternate 3

Year 2000 Compliant ... means that the information technology accurately processes date/time data (including, but not limited to, calculating, comparing and sequencing) from, into and between the twentieth and twenty-first centuries, and the years 1999 and 2000 and leap year calculations, to the extent that other information technology, used in connection with the information technology being acquired, properly exchanges date/time data with it.

Source: US Federal Acquisition Regulation definition, 48 DFR Part 39.002

APPENDIX B

RESOURCES

Print

Canadian Bar Association, Countdown to 2000, Risks and Rewards (1998)

Gahtan, Alan, The Year 2000 Computer Crisis Legal Guide (Scarborough, Ontario: Carswell Thomson Professional Publishing, 1998)

Scott, Michael D. and Reid, Warren S., The Year 2000 Computer Crisis (Little Falls, N.J.: Glasser LegalWorks, 1998)

Internet

www.info2000.gc.ca (Treasury Board of Canada)
www.infoworld.com (InfoWorld Magazine)
www.year2000law.net/ (Year 2000 Law Network)
www.y2k.com/
strategis.ic.gc.ca/year2000
strategis.ic.gc.ca/SSG/yk04403e.html (Industry Canada - sample compliance clause)
www.cba.org (Canadian Bar Association - search Publications for "Countdown to 2000)
www.software.ibm.com/year2000/resource.html
www.year2000.com