By Joe Alecci, IT Senior Manager
Over the last year or so, banks have been heavily focused on complying with the latest cybersecurity laws and regulations -- as they should be -- but lately, it has been a much older law that has been causing compliance and financial stress. Title III of the Americans with Disability Act (“ADA”) prohibits discrimination on the basis of disability in places of public accommodations. This includes information technology and internet websites, which have been the center of a growing number of lawsuits nationwide.
The Department of Justice (“DOJ”) has delayed issuing specific ADA website accessibility regulations until 2018, but this has not protected banks and other website operators from liability. On the contrary, the courts have generally been receptive to plaintiffs’ claims under Title III of the ADA and Section 504 of the Rehabilitation Act.
In 2015, for example, Harvard University and the Massachusetts Institute of Technology (“M.I.T.”) were sued by the National Association for the Deaf for failing to provide closed captioning for their online course, lectures, podcasts, and other educational materials. The DOJ filed a brief in the cases, stating that “Both the ADA and Section 504 currently obligate [Harvard/M.I.T.] to provide effective communication to ensure equal access..." to its services. In both matters, the court dismissed motions by the defendants to dismiss or delay proceedings until DOJ promulgated rules.
Since there is no shortage of potentially non-compliant websites out on the internet, the Seyfarth ADA Title III News & Insights Blog noted that thousands of formal complaints have been filed based on purported non-compliance with Title III requirements.
It was also noted that New York and Pennsylvania are among the top 10 highest states of lawsuits with 543 and 102 respectively and will continue to rise.
Just as vexing has been the stratagem of “trolling,” in which thousands of demand letters will be sent to banks and businesses asserting website accessibility claims. While these claims are purportedly based on scans of the websites in question, the letters often appear to be form letters with no special relevance to the banks or businesses, apart from having been addressed to them. Typically, an expedited settlement will be suggested which will include attorney fees and costs.
In a recent article by the American Bar Association, entitled “Avoiding the Website Accessibility Shakedown,” Title III compliance is summed up as “providing auxiliary aids and services to ensure effective communication absent an undue burden or fundamental alteration to goods and services.” Some ways in which a website can be made compliant is by including features, such as text alternatives for non-text content, alternatives for multimedia content, assistive technologies, full keyboard functionality, and increased time to access and navigate content.
Fortunately, adhering to the established guidelines of the Web Content Accessibility Guidelines (“WCAG”) will be recognized as fulfilling ADA requirements. These guidelines were developed by the World Wide Web Consortium (“WC3”) for providing web developers with success criteria in the development of websites that would be accessible to all users, including those with limited abilities. In 2008, these criteria were updated in WCAG 2.0, and are now used by the DOJ in testing conformance with ADA accessibility requirements.
For each of the WCAG 2.0 guidelines, a set of testable success criteria is provided as well as a rating scale to determine the specific level of conformance with ADA requirements. The three levels of conformance are defined as: A (lowest), AA, and AAA (highest). For compliance purposes, it seems that the DOJ expects conformity with Levels A and AA guidelines to satisfy compliance requirements.
To determine their level of conformity, many of our clients have engaged us to perform an extensive assessment of their websites. Our ADA assessment utilizes over 170 quality tests to each page of a target website to determine the level of conformance with WCAG 2.0 guidelines. We then provide a detailed analysis of the identified issues in a prioritized report that allows for our clients to develop a plan to obtain the necessary “level AA” compliance. Please contact me: JAlecci@pandgassociates.com
Joseph Alecci, CISA, CISM, CISSP, CRISC
Senior Manager – IT Audit & Information Security
Joseph Alecci leads the IT/Cybersecurity Audit & Risk Management Group at P&G Associates. He has over 20 years of experience in information systems and auditing management and is a member of the ISACA N.J. Chapter Board of Directors.