The Millennium Bug and Corporate Criminal Liability
The end of the century offers an opportunity to reflect on legal responses to changes in social and economic organisation. Increasing reliance on sophisticated technology, the developing popular vocabulary of risk, and attempts to deploy the resources of criminal law against business enterprises are some of the manifestations of those changes. This paper argues that the debate about potential criminal liability for 'Millennium Bug' disasters captures these key features of contemporary life. After discussing the broad theoretical framework of disaster and risk, the paper moves to a detailed analysis of recent developments in corporate criminal liability in England and Wales, and in other jurisdictions.
Keywords: Attribution, Corporations, Manslaughter, Risk society.
This is a Refereed Article published on 30 June 1999.
Citation: Wells C, 'The Millennium Bug and Corporate Criminal Liability', 1999 (2) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/99-2/wells.html>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1999_2/wells/>
'If the millennium bug were to cause a large number of catastrophes and fatalities, would it be possible to prosecute individuals and companies involved in the computer and software business?' (The Guardian 19 August 1998).
Most people, even the diminishing number who have never personally used a computer, know about the Millennium Bug and have some perception about its potential for causing disaster. As with any legal question, the answer to the particular one posed in the Guardian's Notes and Queries column, must be that 'it depends'. As well as examining some of the factors which would determine the answer to this specific question, I want to relate an account of corporate and organisational criminal liability for foreseeable disaster to theories about the kinds of lives we lead at the turn of the century. Criminal law, replete as it is with symbolism and blame is a fascinating repository, a silt, for the fears and uncertainties in everyday life. Where hooligans and gangs once fully occupied those spaces, their tenancy is challenged by mass transport, global communication and a sceptical reliance on science.
The use of the phrase 'catastrophes and fatalities' provides the heading for the first section of the paper; here I explore theories of disaster, and the risk society. The inquirer then proceeded to ask whether prosecutions of individuals or organisations would be possible if such catastrophes arose. In the second part I discuss the range of potential criminal liability which might arise, and conclude with an analysis of recent developments in organisational liability in common law and European civil law jurisdictions.
The assumptions we make about the role of criminal law are connected with our understanding of the world; an understanding increasingly mediated by technological knowledge and risk evaluations. Most deaths are a catastrophe or even a disaster for somebody, but some deaths, particularly when they occur simultaneously from a common cause, come to be seen as more than a personal tragedy and enter the cultural framework of disaster. For events to be seen as newsworthy disasters, they usually affect several people, often hundreds, either at the same time, or in a way which can be clearly linked. Disaster does not have to be about death; we talk of financial disaster or environmental disaster. It is this broad category of culturally recognised disasters which is my focus in discussing the criminal liability or companies or organisations for Millennium Bug failures. Because of our overarching dependence on computers the potential for multiple impact over a wide range of activities, whether affecting personal safety or corporate finance, is difficult fully to imagine, and therefore more greatly to be feared.
The placing of responsibility for untoward events at the door of organisations, and remediable by state intervention through the use of criminal law involves a shift in political and social frameworks of blame. Drawing on the analysis developed by Felstiner, Abel, and Sarat (1980) on the transformation of a personal injury into a legal dispute, three stages can be observed in the move from acceptance of death and disaster to the wide-felt need to blame. The 'naming' is the recognition that disastrous events are more than 'accidents' or 'acts of God'. The 'blaming' occurs through changing ideas about human behaviour and social groupings; a systems based conception of organisational behaviour has gradually come to replace the assumption that individuals act either alone or as atoms in a wider group. The third stage, 'claiming' invites an exploration of the increased tendency to deploy criminal law as the avenue of blame.
The Year 2000 crisis fits Barry Turner's theory of man-made disasters. A disaster he defines as 'an event, concentrated in time and space, which threatens a society or a relatively self-sufficient sub-division of a society with major unwanted consequences as a result of the collapse of precautions which had hitherto been culturally accepted as adequate.' (Turner and Pidgeon 1998; p70) For the Millennium Bug failure to be perceived as potentially disastrous a process of cultural acceptance of the role of computer technology in many aspects of life had first to take place.
Secondly, this acceptance had to be fitted in an understanding of the complexities and inter-dependencies of life in the late twentieth century. The recognition that disasters are not solely a matter for scientists or engineers but that there is an organisational and social dimension to understanding untoward events is relatively recent. Socio-cultural factors simultaneously contribute to the identification of the event as a disaster and to theories about their cause. The same faith in science, technology and experts led both to a failure to recognise the socio-cultural dimension in the concept of disaster and to a lack of interest in the broader antecedents of disaster. Turner (1998) characterises disasters as arising from a complex pathology, often including system and communication failures. It is no more appropriate to attribute disastrous events to 'acts of God' than it is to blame individual managers or employees; systems lie behind success, and they lie behind failure.
A dominant feature of late twentieth century life is the existence of large, transnational businesses. Whichever country you travel to, you are likely to encounter globally recognised names - Microsoft, MacDonalds, Visa. This is both reassuring - the world is rendered more familiar because they are presented as homely personalities - and frightening - the inability to escape the influence and reach of the impersonal organisation. Large organisations tend to breed the conditions for disaster. The larger the organisation, the greater the diffusion of responsibility, and the greater the possibility for disaster, and for disaster of greater reach. Size exaggerates the effect of what Turner calls the 'rigidities of perception and belief' whereby individuals within organisations operate with ''perceptual horizons' with regard to those things which are significant and important to them in the pursuit of their tasks, the positioning of those horizons being influenced and reinforced by institutional beliefs and terms.'(1998, p 48) If one looks behind the immediate precipitating factor- the last cause- it is generally possible to trace the development from an earlier normal point to the final breakdown. It is this transition between normal and breakdown which underlies Turner's theory: the development of understanding in relation to a disaster can only be retrospective. When people ask 'why didn't anyone realise that 2000 would cause a problem?' they are asking with the benefit of hindsight a question which would better be framed as 'when did people think that their programmes would still be operating in Year 2000, and what did they do about it?' see also Rowland (1999).
Ulrich Beck's 'risk society' thesis provides powerful insights into the role and focus of blame in contemporary society. (Beck; 1992, and Giddens; 1991) Risk society raises issues of trust, accountability and personal responsibility. The social institutions associated with law themselves play a significant role in risk management and the production of risk knowledge.
There is a nice irony in the notion that the very technology which has brought about the risk society has fallen victim to it. The risk society, is organised around the production of knowledge about risk. Risk is about external danger, of which technological breakdown is but one example. Knowledge about risk has been assisted by the two developments which we now take for granted: statistical analysis and the technology to communicate the results of that analysis. Concern with risk is not merely to do with knowledge of probability, it is to do with cultural attitudes to the acceptability of different hazards. This informs the extent to which we are likely to ascribe any instance of technological failure to the 'Bug' and to look to a legal solution.
What determines the site of 'claim'? Why prosecutions for 'Bug' catastrophes rather than compensation through civil claims? When we talk about criminal behaviour, criminal responsibility and criminal punishment, we do not usually think very deeply about meaning of criminality and criminal law. Although it is traditionally conceived as a system of state-imposed punishment, criminal law is chameleon-like, adopting or mimicking the compensatory, reparatory and mediatory roles of civil law. (Zedner; 1994, and Wells; 1998) It is both impossible and undesirable to hold constant one model of criminal law - it shifts as we speak, it means different things depending on our subjective position - as victim, as tax evader, as child abuser, as school teacher, as debater or as IT expert. The layers of meaning within the institution of criminal law and justice are not mutually exclusive, indeed are often incompatible, allowing it to be conceived as 'a system of imposed social control; a system based on reciprocity of obligations and the recognition of certain universally held rights and interests; a system which reproduces and reinforces certain shared meanings; a system which manages or suppresses certain kinds of social conflict; and many other things besides.' (Lacey; 1993, p 621)
Criminal law, or our understanding of it, is complex, contingent and contradictory. If we are to ask about prosecutions for Millennium Bug disasters, then we need to think about the functions and purposes of criminal law. We can combine a functional analysis of crime with the insights of Beck (1992) and Giddens (1991). Durkheim (1958) argued that crime is functional, that societies make criminals rather than criminals unmaking society, and that social organisation is dependent both on the existence and breaking of social rules. The concepts of the deviant and of deviant behaviour are created by and for social systems, they offer 'a dialectical tool for the clarification of threats, ambiguities, and anomalies in classification systems.' (Rock; 1997)
The relationship between risk and blame can be understood in this way. Perceptions of risk affect the ways in which societies respond to different threats, how they distribute institutional authority; and they additionally provide the focus for debates about morality and identity. (Douglas; 1992) What is regarded as risky by social groups is selected not given. The BSE crisis as it developed in the UK provides an example of preoccupations with risk and its deployment as a cultural resource, including its potential to provide a vocabulary with which to make sense of seemingly uncontrollable hazards. On the one hand, technological innovation has transformed the agrarian base of the food economy into a major international business reliant on mass-production methods and transportation - hence the emergence of the risk of widespread (invisible) contamination. On the other, our familiarity with and reliance on risk analysis leads to the belief that danger is quantifiable and predictable. BSE has shaken those beliefs and at the same time confirmed that bringing hazard under control is both individualized and reliant on expert knowledge.
Much of the risk society literature is couched in complex terms but at bottom there is a simple argument about our transition from localised self-sufficiency through industrial paternalistic societies to the emergence of a societies where risk is privatized, a matter for individual judgment, and an issue of institutional trust. It is that institutional trust which is threatened by the 'Bug' or by the perception of the risk that the 'Bug' brings. The 2000 problem illustrates very well that individual situations are also institutional because, as Beck argues, 'the liberated individual is dependent on a series of secondary agencies and institutions. (Beck; 1992, p130-2) The relationship between the individual and institutions affects all aspects of the question we are considering here. It affects the social, economic and cultural context in which people live their lives; it affects their perception of risk; and it affects their understanding of the causes of untoward events. The changing relationship between individual citizens and community, and between social and state institutions, inevitably brings shifts in our understanding of those institutions themselves.
All this is an essential background to understanding or predicting the legal consequences of any Millennium Bug breakdowns. It is not sufficient to note the contours of liability, it is necessary to consider the forces and pressures which serve to create, amplify or down-play the causes of any 'disaster'. The range of causal factors from which to select in our explanation or attribution of any accident includes at one end the individual operator's human error and at the other the accepted practices and operating procedures of particular industries.
The Millennium Bug is perhaps comparable to the fears about nuclear plant breakdown - the clock cannot be turned back. At the time that systems were put in place, the risk inherent in the fin de siecle was not realised. An organisation which has failed to recognise that there might be a problem, and whose systems shut down as a result, would have little defence to the prosecution for any offence based on negligence or recklessness. An organisation which recognises the presence of the time-bomb but whose efforts to dispose of it are only partially successful would be vulnerable depending on the level of competence and commitment to removing the problem relative to the potential effect of breakdown. Emergency services - fire, ambulance and police - which provided no backup systems might be thought to be negligent. The local bakers which relies on computer technology for controlling the temperature of its ovens, might not be expected to invest large amounts in averting a systems failure. To this extent Year 2000 is but a specific example of contingency planning by technologically dependent business (i.e. virtually all business). Most companies have back up systems in the event of computer failures; for example, the Royal Bank of Scotland has generators to keep its mainframes and cashpoint network going in the event of a power failure at its centre. (Daily Telegraph; 1999, see also Campell; 1999) Without IT there is often no business - so investing in backup is sensible. But Year 2000 is different in the sense that it is internal to the system. It is rather like the difference between attempting to ensure that there is an ambulance service to pick up road accident victims and establishing a preventive screening service for a hereditary disease. There will be a tendency to attribute all service failures to Millennium breakdowns, although in many cases this will turn out not to be the cause. And, since the process of adaptation to deal with 2000 will inevitably introduce new bugs and glitches, (Computing; 1998) the potential for 'disillusion' with legal responses is high.
The key message in my argument so far is that the concepts and constructions of 'disaster' and 'law' are fluid, something like a lava lamp in their relationship with each other. That is the theoretical framework in which to place the following account of corporate or organisational liability.
In terms of assessing potential liability it always has to be remembered that criminal offences vary widely in their conduct and fault elements. When it comes to financial losses, criminal law generally is concerned with intentional and dishonest behaviour and this is unlikely to be of any relevance. Where injuries are caused, then a form of subjective recklessness is the most common underlying fault element; for manslaughter an objective form of negligence, distinguished from civil negligence only by the gravity of the departure from a reasonable standard, applies. There are many statutory offences which might potentially be triggered by a computer failure, such as consumer protection, and health and safety breaches. Many of these are either offences of strict liability or have a reverse onus of proof defence based on due diligence or the taking of all reasonable precautions. The following account describes how criminal law has responded to the increasing imperative to ensure that it applies to corporations as well as to individuals.
The starting point is that a corporation is a separate legal person subject to civil and criminal laws. (Salomon v Salomon (1897); Criminal Justice Act 1925, s. 33 (3) and Interpretation Acts 1889-1978) For a prosecution to succeed against a company two broad questions need to be addressed: is the offence one which a corporation is capable of committing and what principles will apply to impute that offence to a corporation?
There has been a gradual expansion in the common law of corporate criminal liability, both of the range of offences a corporation is capable of committing and in the means by which an offence is imputed to a corporation. There are now very few offences which a corporation cannot commit and any doubt that this included manslaughter was removed in 1991. (R v P&O European Ferries (Dover) Ltd) This followed earlier moves in the US, Canada, Australia and New Zealand which are discussed further below.
The precise answer to the question of how an offence is to be imputed to a corporation has returned to the judicial drawing-board in the last decade. Traditionally only two mechanisms for attributing criminal fault to a corporate body have been recognised: the vicarious principle and the doctrine of identification. Vicarious liability grew out of the development of liability of a master (employer) for his servant (employee), and has been applied mainly to offences in the regulatory field. Whether a particular provision imposes vicarious liability on an employer (whether natural or corporate) is a matter of construction depending upon 'the object of the statute, the words used, the nature of the duty laid down, the person upon whom it is imposed, the person by whom it would in ordinary circumstances be performed, and the person upon whom the penalty is imposed.' (Mousell Bros Ltd v London and North Western Railway Co (1917), per Atkin J, p 845) In general, the process of judicial interpretation of the statutory object led to corporate liability being imposed only for regulatory offences, especially those offences which did not require proof of mens rea or a mental element. While the general principle that a company can be prosecuted for a criminal offence has long been accepted, the question whether a particular statute imposes such liability and whether the vicarious or identification doctrine will apply, is rarely if ever spelled out, and thus the process of interpretation is open-ended.
The identification model developed somewhat later. Until the 1940s, the courts stuck firmly to the view that it was inappropriate to bring a prosecution against a company for serious offences, many of which were of course common law offences requiring proof of a subjective mental element. The identification theory, developed from a series of fraud cases, marked the recognition of corporations as capable of committing offences which required proof of a mental element. (R v ICR Haulage Ltd (1944)) Initially the solution to the conceptual problem of attributing a mental element to a company, imagined the company's senior officers acting as, rather than on behalf of, the company. And in Tesco v Nattrass (1972) the House of Lords held that only those who control or manage the affairs of a company are regarded as embodying or acting as the company itself for these purposes.
The underlying theory is that company employees can be divided into those who act as the 'hands' and those who represent the 'brains' of the company. This approach has its origins in the following observation by Viscount Haldane in an earlier civil case:
'[A] corporation is an abstraction. It has no mind of its own any more than it has a body of its own; its active and directing will must consequently be sought in the person of somebody who for some purposes may be called an agent, but who is really the directing mind and will of the corporation, the very ego and centre of the personality of the corporation.' Lennard's Carrying Co Ltd v Asiatic Petroleum Co (1915)
Two assumptions therefore developed: that there were only two possible routes to corporate attribution of criminal liability (vicarious and identification), and that the latter applied to offences with a mental element, including those with a reverse onus due diligence or other type of defence. However, several recent decisions have challenged these assumptions.
It is increasingly accepted that neither of the two legal forms which have evolved to deal with corporate defendants, the agency and the identification models, is satisfactory. Vicarious liability is both too wide (in attributing the wrongdoings of any employee to the company) and too narrow (in leaving no opportunity to explore company policies), while the identification principle is seen as insensitive to the diversity of corporate organisation The categorisation of any particular offence between these two routes to liability is critical; identification liability stops at wrongdoing in the Boardroom while vicarious liability extends to the corporation responsibility to the acts of all employees.
It has now been recognised that the identification doctrine is unsuitable for many offences, and that its strict application would frustrate the purposes of criminal law. Many offences contain a reverse onus of proof defence allowing the defendant to prove that she exercised all due diligence in avoiding the offence, or took all reasonable precautions or some similar formulation. It had been assumed, almost by default, that identification liability applied to these hybrid offences, with the result that a company which could show that its directors or officers had acted with due diligence, or had taken precautions, could avoid liability.
Recent cases have held that corporations are now becoming liable for hybrid offences committed by any employee. Tesco v Nattrass has been distinguished on a number of occasions. The scope of an employer's duty under the Health and Safety at Work Act 1974 to ensure '...as far as is reasonably practicable, that employees and non-employees are not exposed to risks to their health or safety...'.(section 3) was considered in R v British Steel (1995) How is this to apply to a large-scale employer? Is the employer to be responsible only where at a board of director level there are no adequate systems in place, or whenever any employee exposes another to such a risk? The Court of Appeal, favouring the latter, held that the section imposed a vicarious liability; there was no escape route for the company in showing that, at a senior level, it had taken steps to ensure safety if, at the operating level, all reasonably practicable steps had not been taken. The company, in other words, falls to be judged not on its words but its actions, including the actions of all its employees. A number of other cases have taken a similar line. Tesco Stores Ltd v London Borough of London Borough of Brent (1993); R v Associated Octel Co Ltd (1996) and R v Gateway Foodmarkets Ltd (1997). It is important to note that these are not all health and safety cases. It could be argued that it is inappropriate to make the leap from the employer's duties under the 1974 Act to corporate liability. Although it is true that not all employers are bodies corporate and that liability under the 1974 Act is personal (applying equally to human or corporate employers), this does not detract from the similarity in the underlying principles. These cases recognise that legislation whether addressed to employers, or to all persons, needs to be interpreted in such a way that it reflects organisational and economic realities.
The same consideration has informed a second modern development: the broadening of identification liability itself. A supplement to vicarious liability and to the identification principle has emerged; it dissociates the corporation from the individual human agents. This will have direct relevance to the shape of corporate manslaughter, since it has led to a reconsideration and reinterpretation of Tesco v Nattrass even where it applies to offences requiring proof of a mental element.
In the advice of the Privy Council in Meridian Global Funds Management Asia Ltd v Securities Commission, (1995) Lord Hoffmann explained the need for a more sophisticated and flexible approach to the problem of attributing knowledge (or other mental elements) to a corporate body. The 'directing mind' model in Tesco v Nattrass should not be regarded as the exclusive tool for attributing culpability to a company. It was relevant to examine the language of the particular statute or offence, its content and policy. In acknowledging the need for a more sensitive test of corporate attribution Meridian takes corporate liability principles further into the interstices of the company's decision-making structures.
Lord Hoffmann stated that the choices for the criminal law in deciding whether to apply an offence to a company included whether the offence applied to companies at all and whether it would only apply on the basis of the company's primary rules of attribution. Where the act was specifically authorised by a resolution of the board or the unanimous agreement of the shareholders there would be no difficulty. But, he continued: '[T]here will be many cases in which neither of these solutions is satisfactory; in which the court considers that the law was intended to apply to companies and that, although it excludes ordinary vicarious liability, insistence on the primary rules of attribution would in practice defeat that intention. In such a case, the court must fashion a special rule of attribution for the particular substantive rule.'(1995; p 923-4)
To sum up thus far: Tesco v Nattrass, hitherto regarded as the keystone of corporate liability for non-regulatory offences, has been under siege. Significant damage was inflicted when Meridian asserted that the attribution principle to be applied should be derived from a review of a number of factors: the structure and functions of the company; who performs them in practice and the policy underpinning the law being enforced. The person or persons whose actions are attributable to the company will be determined so as to give effect to the purpose of the law. If no persons are identifiable, the company may be liable through default of senior management.
It is important that the law applies effectively to large diffuse organisations, especially where they are engaged in enterprises carrying risks to the safety of the public. The social, political and economic context of law and business has inexorably changed over the last century. Law is adapting, with more rigorous enforcement, stricter interpretation and higher penalties of work safety laws. Changing attitudes to safety and risk have led to differing responses to disasters, with corporate accountability supplanting individual blame.
Modern corporations are fragmented and decentralized. They do not conform to the management image prevailing at the time of Tesco v Nattrass. As one commentator noted of Meridian: 'Organisation theory and practice have certainly moved away from the simple vertical command-and-control model of how a company functions. In an age of flatter corporate hierarchies, 'empowered' front-line employees and devolved decision-making, Lord Hoffmann's decision has considerable resonance in the real commercial world.' (Gray; 1996)
Meridian allows the court to look with an open mind at the attribution rules for the offence of corporate manslaughter. The Privy Council has returned the law to first principles and advised that there is no general rule requiring a court to isolate the 'controlling mind' of a company. Since it is only in the last 10 years that the offence of corporate manslaughter has been confirmed, there are inevitably few cases, and there is none at appellate level, from which to determine the attribution route.
It can be noted that the substantive requirements for manslaughter have changed since the failed prosecution of P&O European Ferries. The 'mens rea' or culpability element in manslaughter is gross negligence. (R v Adomako (1994)) Because manslaughter is unique among serious common law crimes in having a negligence threshold rather than a subjective mental element as for other offences, it is inappropriate to use the identification rule which developed to deal with subjective mental states such as dishonesty and intention to defraud. To do so would ignore the strong line of appellate cases already referred to, in some of which the offence required either proof of knowledge (Meridian (1995)) or a reverse onus defence based on lack of knowledge. (Tesco v Brent (1993)) The compass of attribution was drawn much more widely, and in some as widely as in the vicarious route, than in Tesco v Nattrass.
Following the prosecution of P&O European Ferries in 1991, and the convictions of OLL Ltd and Jackson Transport, there is no doubt that the law of manslaughter applies to corporations. (R v P&O European Ferries (Dover) Ltd (1991); R v Kite and others (1994); R v Jackson Transport (Ossett) Ltd (1996)) OLL Ltd was a small 'one-man' business. Jackson Transport similarly had only one director, but was larger with 40 employees and 30 road tankers of the type in which the death occurred. Protective equipment and safety standards generally were found to be poor. Fewston Transport, against whom manslaughter charges were eventually not brought, was likewise a medium sized company. Although a challenge by judicial review was unsuccessful on the grounds that the Crown Prosecution Service's decision could not be said to be perverse or wholly unreasonable, both Rougier J and Staughton LJ expressed the view that the CPS had taken a pessimistic view of the prospects of conviction. 'The brakes of the lorry, weighing with its load 30 tons and destined to travel in hilly country, were very badly maintained. The result was appalling: three innocent passers-by killed, and a small child and the two drivers. Both the coroner and the Traffic Commissioner are critical of the company and its senior officials. Surely it is in the public interest that there should be a prosecution for manslaughter?' (R v Crown Prosecution Service, Ex parte Waterworth (1995) per Staughton LJ)
The requirements for manslaughter by a corporate body were also briefly discussed in a judicial review of a inquest verdict of unlawful killing following the death of a disabled woman in a care home. (R v HM Coroner for Reading ex parte West Berkshire Housing Consortium Ltd. (1995)) The coroner invited the jury to consider corporate manslaughter on the basis that there was no written instruction to staff to say that the woman should not be left unattended in the bath, and there should have been such an instruction. Although the unlawful killing verdict was quashed on other grounds, Popplewell J concluded that it would have been possible for a jury properly directed to have found unlawful killing by way of corporate manslaughter in the case.
The likelihood of a successful prosecution for manslaughter against a large company has been enhanced by these three developments: progress towards a modern conceptualisation of corporate attribution; the return of 'the good old days of gross negligence' manslaughter'; (ex parte West Berkshire HC (1995 ); Popplewell J) and confirmation that the law of manslaughter applies to corporations.
This is reinforced by the knowledge that similar questions about corporate responsibility are being asked by legal systems throughout the world. Corporate liability for crime has appeared on the agenda in many jurisdictions over the last 10 years, including in the civil law systems in Europe. The Netherlands, France and Spain have introduced corporate criminal liability and the subject is under active discussion in Germany and Italy. (de Doelder and Tiedemann; 1996; Eser, Heine, Huber; 1999) The Canadian Supreme Court, in a departure from Tesco v Nattrass, has developed a more sophisticated scheme of corporate liability which, inter alia, recognises that companies may have more than one directing mind. The essence of the test is whether the identity of the directing mind and the company coincide when the directing mind is operating in his/her assigned field of operations. The field of operations may be geographic or functional or embrace the entire operations of the company. (Canadian Dredge and Dock Co Ltd v The Queen (1985) In general, New Zealand and the common law states in Australia, adhere most closely to the law of England and Wales. New Zealand recognised the application of manslaughter to corporations in R v Murray Wright Ltd. (1969).
In parallel with the developments over the last 10 years in England and Wales, there has been a rise in the number of corporate manslaughter prosecutions in the common law world, particularly in the United States and Australia. This is seen partly as a response to the failure of federal health and safety agencies vigorously to pursue prosecutions in relation to workplace. (It should be noted that, in both USA and Australia homicide is a state matter.)
28 State legislatures have adopted corporate liability principles, many of which echo the broad federal attribution rules whereby a corporation is liable for the acts committed by its agents acting within the scope of their authority. As in R v Pioneer Concrete (1994) and Meridian Global Management (1995), the fact that employees have acted in breach of express management instructions does not take their activities outside the scope of their employment. As long as the employee is acting in furtherance of the corporation's business she is acting within the scope of her employment. However, some States limit attribution to the acts of high managerial agents, which is nonetheless wider than the Tesco v Nattrass formulation.
Corporations have been held liable for manslaughter or reckless homicide in many states. ( see Appendix) As in England and Wales it has often proved easier to obtain convictions against smaller companies than against nationals and multinationals operating across a number of sites. (Reiner and Chatten-Brown; 1989, p 97) This underlines the need for a rule of attribution for corporate liability which is responsive both to small and large enterprises.
There have been two prosecutions of companies in the State of Victoria, although neither was successful. (R v Hatrick (1995); R v Dynamic Demolitions Pty Ltd (1997)) The Australian Criminal Code Act 1995 provides one of the most detailed modern restatements of organisational liability. This is a federal statute, not yet in force, whose purpose is to ensure a harmonisation of federal and state principles. It undoubtedly reflects current thinking by the States' Attorneys- General. The Act provides that, for offences of intention, knowledge or recklessness, the 'fault element must be attributed to a body corporate that expressly, tacitly or impliedly authorised or permitted the commission of the offence.' (Criminal Code Act 1995 (C'th) s 12.3) Authorisation or permission can be shown in one of three ways- the first echoes the Tesco v Nattrass version of identification liability, and the second extends the net wider to 'high managerial agents'. The third represents a clear endorsement of an organisational or systems model, based on the idea of 'corporate culture'. 'Corporate culture' can be found in an attitude, policy, rule, course of conduct or practice within the corporate body generally or in the part of the body corporate where the offence occurred. Evidence may be led that the company's unwritten rules tacitly authorised non-compliance or failed to create a culture of compliance. For negligence offences such as manslaughter the Code provides (section 12.4) that negligence may be attributed to a company if its conduct 'is negligent when viewed as a whole (that is by aggregating the conduct of any number of its employees, agents, or officers.)'
The Millennium Bug is metaphorical, emblematic and paradigmatic. It encapsulates our fears and dependencies confirming the extent to which we seek the 'protection' of criminal law in their wake. Criminal law cannot protect, it can only react, but it is nonetheless a resource of immense symbolic purchase. The incremental development of principles of corporate liability for crime over the last 100 or so years reflects and reinforces the dual institutional towers of the business organisation and the criminal justice system. As a legal person a company can be separately indicted for manslaughter. A company acts through its board of directors, managers and employees. In several recent cases, English courts have recognised that it is necessary to develop rules for attributing to a company actions taken on its behalf. Earlier principles, which assumed that a company was to be likened to a physical person with a brain controlling a body, have been abandoned in favour of a notion of the company which reflects our understanding of modern business enterprise. We do not imagine that we are transacting with the managing director of Marks and Spencer when we shop there, nor that when a plane takes off the airline's board of directors has specific knowledge of its activities, route or condition that day. We do however expect that large companies operate according to a set of rules and procedures and that these, particularly in relation to public transport systems, have addressed the potential risks and developed safety procedures to ensure that those risks are minimised. And if they haven't we look for solace in the criminal law.
Campbell A (1999) 'Banks and Business Customers: The Y2K Problem' Journal of Information, Law and Technology (JILT) 1999 (2). < http://elj.warwick.ac.uk/jilt/99-2/campbell.html>.
Rowland D (1999) 'Negligence, Professional Competence and Computer Systems' Journal of Information, Law and Technology (JILT) 1999 (2). <http://elj.warwick.ac.uk/jilt/99-2/rowland.html>.
Selected Corporate Manslaughter Cases in US
Granite Construction Co v Superior Court 197 Cal Rptr 3 (Cal Ct App 1983).
State of Wisconsin v SA Healy Company Case no F-902661 (Dec 1990).