***

    No final word has yet been uttered as to when the roll over to the third millennium is to come about:  whether, that is, it will be on December 31, 1999 or, rather, on December 31, 2000.  The option, for the one or the other deadline, is not a matter of preference or imagination (certainly, our imagination is more prone to thinking that the third millennium will unfold at the dawn of January, 2000), but it is to be traced within the early events of the Christian age: does, or does not, a year "0" exist? If it does, then the passage to the new millennium will come about on the coming December, 31.  If, otherwise, we jumped from year "1" b.c. to year "1" a.d., we are still more than one year away from the dawn of the new millennium.

    The fact is, leaving the onset aside, that the turn to the 2000 could have a serious material impact upon information systems worldwide, an impact which, regrettably, many among economic operators, government authorities and consumer associations have not yet fully appreciated.

    Paradoxically, the problem that could afflict humanity on January 1, 2000 does not originate from the millennium change, but - more banally - from the century change,

    And, indeed, the "Millennium Bug" (or Y2K) problem has originated from the fact that, about thirty years ago, in the early stages of software programming, to save on then costly memory space, programmers decided to represent the year of the dates by only the last two digits instead of using four digit fields:  for example, 73 was used to represent 1973.  The fear is that the 00 of the 2000 could be read as 1900 by the software of the millions of artificial brains that now run our lives, with an outcome that today may be hardly anticipated (for example, interests calculation for the period 1995 thru 2000 could be interpreted as interests accrueing between 1900 and 1995).

    Many software have been upgraded; and many networks use software that can read four digit dates;  but, hitherto, we do not know which and how many systems operate on software that read two digit dates:  they could be chips embedded in elevators, or in a water distribution system, or else, in a space satellite launched in the 1970s.

    Moreover:  from a legal point of view, regulating the consequences of the "Millennium Bug" is further complicated by the fact that the "bug", albeit not technically a virus, may however act as a virus, infecting otherwise functioning systems:  a network system may be totally immune from the described memory flaws and accept, and correctly process all data, but it may be impaired by coming in touch with an external, non-date--change-compliant system.  In addition, in assessing the consequences, even legal ones, the "domino effect" factor has to be acounted for since a non-compliant system may induce critical situations into all those systems it may come to interact with.

    In any case--may millennium anxieties and late editions of Nostradamus prophecies rest in peace--the problem would be such even if the shift would concern that from 1899 to 1900, or from 2099 to 2100:  it is an information technology problem, not a millennium curse!

    To fully grasp consequences and effects that the shift to the new millennium will bring about, it is useful to recall some of the figures that, with more or less approximation, are to be heard around.  Software Productivity Research has estimated a "bug" worldwide cost of 1,600 billion $US (about three million billion Lit).  One thousand billion $US is the figure indicated by the same source for the sole legal costs.

    In Italy, damage caused by the "Y2K" factor will amount to about 59 thousand billion Liras (Hunter College USA estimate).   New Zealand, among Y2K most conscious countries, has calculated a negative economic impact amounting to 0.3% of GNP.  In Grat Britain, a 0.8 - 1.5% GNP fall is in the forecast.  We could go on with other, more or less catastrophic data.

    Much of this money has already been spent in year 2000 I.T. system conversion by business and, above all, public administrations, to avert the worrying scenarios, some of which apocalyptic, to say the least, that forecaster and I.T. experts have been evoking. 

    Such enormous costs pose the problem of identifying, not only, and not so importanly the culprit of the millennium bug, but, above all, of determining who - and why - will shoulder the cost of prevention, on the one hand, and of the possible negative consequences on the other:  this entails the usefulness and necessity of an approach to the year 2000 problem from a strictly legal point of view.

    As a part of this approach, the importance of a possible legistlative action should not be dismissed: it is true, indeed, that all the problems which might derive from the "millennium bug" could be framed within the existing instruments and tackled therewith.  We cannot determine, however, which and how much contentious will surface before we hammer out videly acceptable jurisprudential solutions.  Above all, we do not know how long it will take for such solutions to be defined:  it will be necessary, in fact, that each of the problems that will be mentioned herein, be heard before the High Court, and thereupon a solution be defined that be accepted by operators and the jurisprudence of reference.  Times - as it appears - may be very long, leaving room, in the meanwhile, for a contentious which, according to the usual american estimates, could tur out to be devastating.

    It does not come by chance, then, that in the US a federal bill is being approved (following several state laws).  The main features of the bill, as agreed after lenghty discussions between the House, the Senate and the White House that should grant an early approval, are a ninety days moratorium for all lawsuites to allow interested subjects to possibly resolve the problems; a 250,000 $US damage compensation ceiling, or three times the damage for private subjects or business with less that 50 employees;  definition of a formula for business damage assessment and aknowledgment of compensation only to an extent apportioned to the business contribution to the damage;  the provision that class actions involving participation of large number of subjects (over 100) or very high compensation requests (over 10 million $US) may be filed only before federal courts (and not before state courts).

    In the responsibility chain, the first issue is to ascertain whether Y2K affected software manufacturers bear any responsibilities: indeed, within the relationship that binds a software manufacturer (software house) or supplier to a customer or user, be it a private business or a public administration, some sort of contractual responsibilities could be traced, on which also all disputes of a contractual nature (damage to buyers from use of flawed product and service) and extra-contractual nature (damage to the third by flawed product or service) could be based.

    In fact, "the supply by a software house, to an insurance agency, of information hardware and specifically designed application programs must be qualified, irrespective of the wording of the contractual documentation, as an atypical unitary contract (mixed contract) for the supply of an information system that must produce a given result.  Should the supplied information system prove unsuitable for the specified use, the contract would be void due to non-fulfilment on the part of the software house".  (Court of Turin, March 13, 1993).

    In light of this principle, the negative effects upon the functioning of information systems of any kind of public or private enterprise caused by date-change-non-compliant software, could be debited to the program manufacturer whom the program mainly designs and renders operational.

    If the causes of the year 2000 bug are more closely reviewed, a manufacturer or supplier's responsibility could be outlined which today many analysts tend to exclude.

    According to a widspread technical approach, we could state that the choice that has determined the "millennium bug" (that is, the use of two digits, instead of four, to indicate date year) has been the result of carelessness or thoughtlessness.  Aside from the fact that many of the "indicted" codes were written starting in 1950 and, therefore, also using the two bit system indicating only the last two digits for the year and able to cover the lenght of a century, it would have been possible to stretch out program correct functionality at least of an additional 100 years starting in 1950 (considering as year "0" the year the software was written - e.g., 1950 -, we could have reached 2049).  It is the opinion of the most careful analysts that with a higher level of attention and no need for memory addition, a lapse of 256 years could be covered (this could be accomplished by using a combination of one byte, corresponding to 8 bits).

    Programmer's claim, that it was impossible to foresee that software programs written in the 1970s and 1980s would prove so "resilient", may certainly be sustainable, but it is not legally convincing.   It can be objected that computer programs, like many other products or, as in our case, brainpower products, were not produced to last a definite time period, nor an expiry date was ever specified.  Indeed, software lifespan is as long as user's requirements, and the fact that such software would not resist the year 2000 impact not only was foreseeable, but downright certain.  To complicate the issue - though somewhat reducing original manufacturer's responsibilities - it may be added that, normally, the more complex programs, made up of the so called "integrated system" chips, as time and technological advancements go by are not totally replaced, but merely upgraded through modifications that do not alter many of the original chips and codes.

    If this path is followed, we should come to the conclusion that program flaws can be ascribed to programmer's negligent or careless behaviour.

    If failure to forecasting year 2000 compliance is considered a software flaw and, consequently, code provisions, ex art. 1490 and following are applied to the most typical case of software transfer, manufacturer's responsibility could hardly be sustained, tied as it is to a very short lapse (8 days), and, in any case, to the year statute-barred deadline ( art. 1495 of civil.code).

    Indeed, single responsibility instances will mostly depend on the various contractual situations to be examined in each case, with particular reference to limitation of responsibility and warranty clauses.  There could be had, for example, software transfer contracts, user or development license; in the latter case, for example, the year 2000 "bug" may be considered as a hidden flaw and report deadline will be 60 days from discovery, while legal action may be filed within two years from the same.

    In Italy, contractual attention to the millennium bug is low: service supply contracts making no allowance for millennium change warranty clause are still common.  It is indeed a fact that in the telecommunication network interconnection contracts, recently undertaken by various telephone service operators, and disclosed as per art. 19, sub. 3, lett. c of DPR n. 318 of September 19, 1997,  no mention is made of software year 2000 "compliance".   Vice versa, it is rare that this be not required and supplied in contracts within the english speaking world, particularly the US.  So, for example, a software transfer contract between an American and an Italian company reads:  "The Software is Year 2000 compliant in that, when used, the Software will record, store, process and present calendar dates falling on or after January 1, 2000, in the same manner, and with the same functionality and performance, as the Software on or before December 31, 1999.  However, company A does not guarantee and shall in no case be liable if any Year 2000 non-compliance of the Software is determined by the interoperability of the Software with other software or hardware of company B."

    Again, the same anglosaxon doctrine, has, in fact, stated that: "It should also be noted that vendor should be required to both "represent" and "warrant" as to its product being Year 2000 compliant so that the customer is legally entitled to both equitable remedies (such as rescission of contract) for a breach of the "representation" and remedies at law (such as money damages) for breach of the "warranty". (J.Jinnet, "Legal issues concerning the Year 2000 computer problem: an awareness article for the private sector", in www.year2000.com/archive/legalissues.html).

    In any case, a softnening of the rigid terms of legal regulation and subsequent software manufacturer and supplier's responsibilities, might perhaps come from the application of the regulation for defective product responsibilities, adopted with DPR n. 224 of May 24, 1988.  In this text, even electric power is considered as a product and "every movable goods, even if embedded in other movable or fixed goods".  Considering software as year 2000 non-compliant and, therefore, as a defective product, damage compensation deadline, within the limits of refundable damage as per ex art. 11 (damage caused by death or personal injury or damage deriving from loss or deterioration of items other than the defective product, as long as of a kind normally intended for private or personal use and thus used by the injured party), will then be the ten-year term as provided for in art. 14, which wil begin from the day the manufacturer or the importer into the EEC began marketing the damage causing product.

    Determining software supplier's responsibility does not naturally wrap up the chapter:  the principle that lies at the basis of the rules for civil responsibilities in our legal system is that of solidarity.  Therefore, the existance of software manufacturer's responsibilities does not rule out, in principle, the existance of other responsible subjects, even for the entire extent and proportion of the damage.

    An interesting cue for reflection may be traced in the rules laid out in L.D. n. 115 of March 17, 1995, enactive of 92/59/EEC guidance relating to product general safety.  In such legislative act, an obbligation to disclosure is stated, naturally preventive in nature, on the part of the manufacturer whom "must provide the consumer with all information apt to assessing and preventing any danger  which may derive from normal, or reasonably predictable use of the product, if these are not immediately perceivable in absence of adequate warning instructions".

    This obligation applies, downwise, from software manufacturer thru to good or service producer that has incorporated the software that is supplied to final consumer or user.  Disclosure obligation must, besides the producer, be extended to public administrations or other public or private entities that provide services of public interest.

    It must be aknowledged how, in Italy, especially as concerns this last profile, the situation appears extremely serious;   ignorance of the millennium bug problem is as worrying as the consequences it may bring about.

    A general obligation to disclosure must therefore be aknowledged as a duty for all those public and private entities that are in contact with citizen, user or final consumers.  Special attention must be paid by those subjects that supply public services, from electricity to telecommunications, from transportation to health care.  Wherever, as it unfortunately appears, timely and adequate information upon possible disruptions and emergency action thereby was not provided, public service management responsibilities will hardly be skipped.

    An interesting aspect on information exchange, is that of the risk that companies exchanging Y2K related information could be pursued for infringement of anti-trust regulations:  in the US, since 1998, the Department of Justice has ruled out that exchange of Y2K related information may configure an infringment to competition rules.

    The obligation to disclosure, from producer to user, makes it easier, but does not resolve the problem of the existance, in most recent supply or transfer contracts, of a specific "year 2000 compliance" warrantee that must be provided by the manufacturer or supplier for its products.    In the most recent contracts, such a warrantee will hardly be excluded, unless the buyer accepts the purchase even when the supplier has expressely stated the Y2K "non-compliance" of its products:  what will not certainly be sustainable, is the blameless ignorance of the "bug flaw" on the part of manufacturers and suppliers.  On the other hand, the presence of the "bug" in the product cannot certainly be considered an easily detectable fault on the part of the buyer, ex art. 1491 c.c. (in the case of sale) or the operator, ex art. 1578 c.c. (in case of leasing, which may re-include license for software use).

    In any case, it is useful that a compliance clause be explicitly included, as in the example above.

    A similar argument could apply to assistance and maintenance contracts;  and even in this instance, each case must be assessed, examining single contract clauses.  Should contract include comprehensive maintenance coverage for any possible problems, it may be assumed that mainenance provider has underwritten the cost of system repair.

    "Directors need to be able to demonstrate that they have taken genuine steps toward addressing the problem. If these steps aren't taken and adequately recorded, the impact on the company and directors in court will be severe."

    The statement - from an article posted on the Internet since 1997 ("Directors may be liable for Y2K problems",   "Computerworld New Zeland",  10/20/1997) - should have - or already have - plunged medium-large enterprise management into panic.  In the US it has already happened, and business management has already adopted its countermeasures.  Different reactions are recorded in Europe, particularly in Italy.  And, indeed, in the anglosaxon countries, commercial business administrators and managers are by now aware and alarmed of their possible involvement in terms of  "personal liability" on the basis of  the "duties of care" bond which binds management to the company.

    A possible alternative, for example, is that between the assessment and correction of all of the interested code lines and the radical and substantial modification of the system architecture:  the latter choice could, in some cases, be indeed cost effective or, at parity of costs, it may offer fresh opportunities (to be evaluated even from a fiscal point of view).

    The responsibility of those who are entrusted with the management or a "government" role within a structure, and whom have not timely prepared for the advent, more than foreseeable, of the new millennium and, therefore, due to negligence, inexperience or carelessness cause damage to persons or property, shall be more than certain.  Even under art. 2408 of c.c. it will be possible, in fact, to file a Court report  "serious wrongdoing in the fulfilment of duties by administrators and boards. Such a report could be followed by a lawsuite against administrators and members of the board .

    This type of responsibility will naturally not be limited to the "private sector", but will likewise touch the public sector, especially local administrations which, to date, appear to be heavily behind in the year 2000 conversion process.  To confirm what has just been said, we may recall the address, to a recent conference on year 2000 system conversion, of one of the participant and vice president of the Comitato Anno 2000, Counselor Ermanno Granelli, who has underscored as administrative and accounting responsibilities of public official and employees whose behaviour may, even involuntarily, have caused damage to the administration, cannot be ruled out.

    Manufacturer's (software or product) responsibility could certainly be "avoided" by resorting to the concept of "Act of God", thus off-loading the consequences downstream, all the way to the final user or consumer.

    In many contracts, in fact, a provision of the kind is included in the hypothesis that an event "beyond control of the parties" determine unfulfilment of obligations which, in a supply contract, as it could be reasonably identified that which will be most affected by the millennium bug, are those of a service supply (for example, in interconnection contracts is expressely allowed for that: "withstanding the provisions of art. 12 of DPR 318/1997, events foreseen as an "Act of God" will render the reciprocal obligations void and will clear Company a and b respectively of any responsibilities.  It is further provided for that, for the period in which the interconnection cannot be assured due to causes beyond control, company B shall not be liable for the service due amount.  Company A, in case of service disruption due to an Act of God, must readily report the onset and the end of such cause, and undertake all actions apt to restore service as soon as possible thereafter.  In the case that such events should last more that three months, the parties shall be free to withdraw from the contract.  To be considered as an Act of God are those events beyond parties's control which will hamper the fulfilment of contract undertakings, such as, for example, impossibility to reach disruption point due to adverse natural events, general strike, epidemic, transportation freeze, earthquake, fire, storm, flood, legislative restrictions, commercial or industrial embargo, war".

    It is also true that, in classifying Y2K as an event beyond control, much depends on single contract clause and formulas, and it is a fact that in the US many companies call for a re-formulation of the Act of God clause to specifically address millennium bug problems.  However, the year 2000 problem could be hardly classified as an "Act of God", being a known problem which may be prevented and corrected - as it has been done - with investment and planning.

    Indeed, if the Act of God is to be intended, as some administrative jurisprudence claims, at least with regard to public transportation service, "not in Civil Law terms as vis cui resisti non potest but, in wider terms, as all the situations which may determine disruption of communications which render necessary the adoption of extraordinary measures" (TAR - Administrative Regional Court -  Sicily, sctn. Palermo, November 16, 1983 n. 948),  it could even seem plausible that all costs due to a millennium bug public service disruption be borne by final consumer or user!

    It is widely held, in legal circles, that the 2000 bug phenomenon will not be classified as an Act of God because of its character of certainty and predictability:  a date change is not an uncertain event.  However, the possibility that Y2K be configured as an event which "resisti non potest" cannot be ruled out a priori keeping in mind not the internal effects of the millennium bug, but the external effects.

    In fact, notwithstanding the persisting unpredictability of the millennium bug effects (pictures range from armageddon to likely, banal, temporary power, gas and telecommunication disruptions) the real problem is that of the domino effect, that is, the linkage of negative effects originated from a single instance that affect even perfectly compliant systems.  Therefore, within the frame of a general emergency, the subject who may prove to have adopted all of the necessary measures to counteract the "bug" negative impact and, nonetheless, finds himself operating within a "corrupted" system due to the domino effect and, consequently is unable to guarantee the fulfilment of his obligations or, worse, causes damage, could rightfully appeal to the "extenuating circumstance" under art. 1218 of c.c. and 45 of p.c.

    In any case, whether the millennium bug be or not considered an Act of God, the exemption from responsibility will always involve that all of the necessary measures be adopted to reduce damage caused even by events classifiable as Act of God:  to that purpose, public administrations and private subjects should prepare business and service contingency plans with regard to flaws and failures both of internal and external systems.

    It is indicative, on this issue, the call of art. 12 of DPR 318, 1997, outlining the "Rules for the implementation of EEC guidance in the telecommunication sector", according to which "each telecommunication entity must adopt, even upon request by the Authority, the necessary measures to guarantee the availability of public telecommunication grid and telecommunication services accessible to the public in the case of grid catastrophic failure, or Act of God, and must submit an implementation plan to the Authority on a yearly basis.  When the above mentioned circumstances arise, the interested entities will do their best to maintain service to the highest possible standard and to respond to the priorities as defined by the relevant authority.  Safety reasons must not impair access or use of fixed public network or other public telecommunication networks, [...] each telecommunication entity will adopt, even as requested by the authority, the necessary measure to assure public telecommunication network integrity.  The necessity to maintain grid integrity is not a valid justification:  to refuse negotiation of interconnection conditions; to impose access restrictions to fixed public network or other public telecommunication networks;  to safeguard network equipment, software or database".

    Possible penal responsibilities cannot, in principle, be ruled out, but cover a marginal role within the millennium bug phenomenon.  The difficult configuration of crime is due to the malicious character of the same.  Y2K responsibilities, as mentioned, will probably be of an involuntary nature.  It cannot certainly be excluded that someone take advantage of "bug" chaos to damage I.T. and telcom systems, ex art. 635 bis p..c or an I.T., scam, ex art. 640 ter p.c. or else, cause public service disruption, ex art. 331 p.c.  The malicious character of these crimes, however, makes it "simple", theoretically, to identify the culprit.   A close analysis cannot fail to identify certain penal involuntary crime figures that, in a catastrophic scenario which, though lacking the character of probability it is however abstractly possible, could be configured on the midnight of December 31, 1999.   These are hypotesis (such as that provided for in art. 449 of p.c.) which will hopefully remain mere theoretical excercise for the jurist who deal with millennium bug originated responsibilities.