Introduction
On October 19, 1998, President Clinton signed the "Year 2000 Information and Readiness Disclosure Act" ("Y2K Disclosure Act" or the "Act"). This legislation will have a direct impact on how businesses and individuals publicly disclose and address problems associated with the Year 2000 date change ("Y2K"). Therefore, a general understanding of the Act's purposes and scope is of critical importance to anyone who may be affected by the Y2K problem.
The Year 2000 Problem arises from the many computer software programs and operating systems that use only two digits to designate the calendar year in a date code field. Based on this two-digit format for date coding, computers with date-sensitive programs could recognize the year 2000 as "00" and incorrectly assume that the year is 1900. Similar problems can arise for systems dependent upon embedded chips that are encoded to only use or recognize two digits when referring to a calendar year.
The Act provides added protection from liability for certain public and private statements concerning an entity's Y2K readiness and the Y2K readiness of its products and services. The Act also potentially provides added protection from liability for certain types of Y2K disclosures made after January 1, 1996, and before the date of enactment of the Act, provided that an entity takes specific actions by Thursday, December 3, 1998.
Creation of a "Safe Harbor" for Year 2000 Readiness Disclosures
To promote the exchange of information regarding Y2K issues, the Act creates an evidentiary "safe harbor" that, subject to certain narrow exceptions, prevents liability from attaching to certain types of Y2K statements, identified as "year 2000 readiness disclosures."
The Act defines what qualifies as a year 2000 readiness disclosure. statements concerning Y2K that are used in certain types of actions are excluded from this definition and will not fall within the Act's safe harbor provisions. Specifically, for the purposes of certain securities laws actions, any statements contained in any documents or materials filed with the Securities and Exchange Commission or are not included within the definition of "year 2000 statement." See Y2K Disclosure Act § 3(11)(B). In addition, disclosures or writings regarding Y2K issues that accompany "the solicitation of an offer or sale of securities," not necessarily limited to registered securities, will not be covered by the Act in actions brought under the securities laws.
Burden of Proof; Year 2000 Internet Websites
Another major protection that the Act provides making it more difficult for a claimant to recover on the basis of allegedly false, inaccurate, or misleading disclosures made with respect to the Y2K problem. This is accomplished by raising the burden of proof needed to establish liability in an action based on allegedly faulty year 2000 statements. Further, to the extent that a year 2000 statement is a "republication," the maker has no liability unless the claimant satisfies certain evidentiary requirements.
The Act also specifically addresses the practice of providing information regarding the Year 2000 Problem over the World Wide Web. The Act defines a "Year 2000 Internet Website" to mean "an Internet website or other similar electronically accessible service, clearly designated on the website or service by the person of entity creating or controlling the content of the website or service as an area where year 2000 statements concerning that person or entity are posted or otherwise made available to the general public." Y2K Disclosure Act § 3(7).
The Act then addresses the adequacy of notice regarding Y2K that is posted on a Year 2000 Internet Website. Where the adequacy of notice about year 2000 processing is an issue in a covered action (other than a covered action involving personal injury or serious physical damage to property), the Act provides that "the posting, in a commercially reasonable manner and for a commercially reasonable duration, of a notice by the entity charged with giving such notice on the year 2000 Internet website of that entity shall be deemed an adequate mechanism for providing that notice." Y2K Disclosure Act § 4(d).
Exceptions Altering the Scope of the Act
In addition to the specific exceptions to the evidentiary safe harbor discussed above, there are several other exceptions and provisions of the Act that narrow or broaden the scope of its protections. One such exception is that the Act's intention not to affect or alter an existing contractual relationship between parties. Another exception is that, in a covered action brought by a consumer, the Act does not apply to year 2000 statements "expressly made in a solicitation, including an advertisement or offer to sell, to that consumer by a seller, manufacturer, or provider of a consumer product." Y2K Disclosure Act § 3(3). A further exception is that the Act will "not be deemed to alter any standard or duty of care by a fiduciary" as that term is defined under applicable law. Y2K Disclosure Act § 6(c)(3). Given the scope of fiduciary relationships, this provision may have a broader than expected reach.
Applicability of the Act
The effective date of the Act is October 19, 1998, the date it was signed by President Clinton. Y2K Disclosure Act § 7(a)(1). Generally, the Act applies to any year 2000 statements made between July 14, 1998, and July 14, 2001, and to any year 2000 readiness disclosures made between October 19, 1998, and July 14, 2001. Y2K Disclosure Act § 7(a)(3). Section 7(a)(2) of the Act further provides that it will not effect or apply to any lawsuit pending on July 14, 1998.
SAFEGUARDING AGAINST E-MAIL LIABILITY
Although it is no surprise that conventional "snail mail" is increasingly being replaced by e-mail in business communications, many companies are not aware of the potential liabilities that accompany e-mail use. A company's e-mails generally include: (1) communications with professionals (e.g. lawyers and accountants); (2) business communications with co-workers, clients and other businesses; and (3) personal communications. All three types of communications give rise to different liability concerns.
First, communicating with attorneys and other professionals via e-mail can be time- and cost-efficient for a company, but may give rise to confidentiality concerns. Even though a number of state bar associations, including that of New York, has acknowledged an attorney-client privilege in regular, unencrypted e-mail communications, companies need to make sure that such a privilege is not destroyed or undermined. The privilege can be destroyed if the company vitiates its expectation of privacy in e-mail communications with its attorney by forwarding such e-mails to staff members, or to people outside the company's managerial circle. E-mails that are printed and left in common areas, or that are left opened on monitors can also destroy the privilege. Applying court rulings on conventional communications, attorney-client e-mails that are mistakenly forwarded by the client to third parties would probably still retain privileged status, although no cases appear to have ruled firmly on this issue.
Although not destroyed, the privilege in attorney-client e-mails can be severely undermined if the e-mails are intercepted by third parties as a result of inadequate security. The unauthorized interception of electronic communications is prohibited by the Electronic Communications Privacy Act, but a company that seeks legal redress after-the-fact may incur far greater costs than if it had implemented preventative measures in the first instance. One such measure is secure e-mail routing systems when engaging in transactions where public knowledge of certain facts could be detrimental. A company can request that its law firm establish a routing system through which e-mails can be securely accepted and delivered.
Second, although communicating with clients and other businesses via e-mail may be an indispensable convenience for a company, the repercussions of this convenience are often overlooked. One of the potentially costliest consequences for a company that uses e-mail for most of its business communications is discovery - in the face of litigation, a company may be ordered by a court to reproduce such e-mails at its own cost. Such an obligation could be extremely taxing on a company's resources, and can be avoided by implementing a periodic and systematic policy of deleting e-mails that are unwanted and not subject to legal record-retention requirements. To be effective, such a policy should ensure that deleted e-mail messages do not remain on a computer's hard drive (i.e. they should be electronically "shredded") because discovery demands have extended to e-mails deleted from a computer's desktop but that still reside in the computer's hardware. Companies should note, however, that the destruction of e-mails in anticipation of litigation or otherwise against the law can result in fines and presumptions in trial that are far most costly than discovery of the e-mails would have been.
Third, although a company that grants business e-mail privileges to its employees cannot, as a practical matter, prevent such employees from sending and receiving personal e-mails, it should nevertheless take steps to mitigate potential liability arising from such non-business uses. Inappropriate e-mails (e.g. sexist or racist jokes, harassing messages) sent or forwarded by a company's employee will likely identify the company in the internet protocol address, and may cause embarrassment to the company. Worse yet, recipients of such messages may try (and indeed have tried) to hold the company liable for any injuries. To prevent such claims, a company should delineate its boundaries of permissible e-mail use in the employee handbook or equivalent materials, and should take prompt action when alerted of potential violations. Courts have held in favor of companies that addressed reported violations promptly by, for example, censuring the employee or by holding staff meetings to clarify the company's e-mail usage policies.
SHARING YOUR COOKIES
Online privacy continues to steal much of the spotlight when it comes to Internet-related legal issues, this time taking center stage with the issue of "cookies." Cookies, textual tags that web sites surreptitiously attach to end-users' hard drives to trace their web-surfing patterns, can be used to better understand the preferences of a user, or can be sold by a site to other online marketers. Rather than clarify the issue, a recent ruling has opened a Pandora's box as to the permissible uses of cookie files.
In The Putnum Pit, Inc. v. City of Cookeville, No. 2:97-0108 (N.D. Tenn. Sept. 21, 1998), a news publisher in Tennessee tried to obtain records of city employees' cookie files in order to determine whether they were inappropriately visiting certain web sites while at work. In an opinion laden with constitutional law analysis but lacking in substantive discussion about online privacy and cookie-type technology, the court dismissed the publisher's request.
The crux of the publisher's argument was that city employees' cookie files are a matter of public record that should be freely accessible. The court disagreed, stating that even if such cookie files were public records, the city has a strong enough interest in protecting its "fiscal resources" and was justified in denying the publisher's request, which would have consumed a significant amount of the city's time and money.
The Putnam ruling is by no means a landmark case on the use of cookies, but it has raised numerous questions for future consideration. For example, the court did not definitively state whether the cookie files of a public employees are public records. Nor does it address the confounding factor raised by the city -- that cookie files cannot be public records because they are created by third-party software and are therefore not owned by the city.
Further clarification on the use of cookies will probably come in the wake of pending legislation regarding online privacy. The parameters of any such newly enacted laws will be tested by lawsuits whose facts and rulings will serve as guidance for the public's future behavior.