Website AccessibilityWhy Companies Should Take A Holistic Approach to Digital Accessibility

Why Companies Should Take A Holistic Approach to Digital Accessibility

Over the past several years, there has been a tremendous increase in the prevalence of digital tools, online businesses, and mobile applications.  This has led to a spike of litigation in both federal court, under Title III of the Americans with Disabilities Act (ADA), and similar state statutes, such as New York Human Rights Law and California’s Unruh Act, as users with a variety of disabilities allege challenges in accessing various components of a company’s online business.  

The Beckage Website Accessibility Team, made up of lawyers who are also web developers and web design business owners, continues to monitor federal and state filings under the ADA, which have more than quadrupled in the past seven years. While no industry is immune, we have noticed a trend of lawsuits targeting the retail and restaurant sector, as more individuals with disabilities are seeking out websites over brick-and-mortar stores, creating higher risk for online businesses with accessibility issues.

Part of the surge in litigation over the past handful of years is caused from the lack of clarity from the Department of Justice, the federal agency responsible for enforcement of the ADA. In 2017, the DOJ declined to issue clarifying regulations, contributing to continued uncertainty on clarity on what digital accessibility entailed. Hence a waive of litigation ensued and shows no signs of letting up. Thus, absent any legislation or guidance from the DOJ, now is the time for organizations for organizations to take a holistic approach to digital accessibility, taking proactive steps to make their digital platforms accessible for users with a variety of disabilities. But what does that look like in practice and why should your organization make accessibility a priority in 2021?

Current Legal Landscape

As any good business understands, it is crucial to always keep the consumer top-of-mind, and your online presence is certainly no exception. Creating a digital platform that can be used by the greatest number of consumers possible should always be the goal, and that number needs to include the 1 in 5 Americans who have a disability.

However, deciphering what exactly it means for an online business to be considered accessible under Title III of the ADA has been a constant challenge for companies, web designers, and attorneys working in the accessibility space. Despite the DOJ’s lack of clarity on this issue, the Web Content Accessibility Guidelines (WCAG) 2.1, private industry standards promulgated by the World Wide Web Consortium (W3C), are widely accepted by the industry and courts for measuring accessibility.  The WCAG standards are broken down into three “levels” of acceptability: Level A, Level AA, and Level AAA.  Level A and Level AA are where most common barriers for disabled users exist and are thus the accepted standards to achieve website accessibility.  

It is also important to note how Title III of the ADA intersects with privacy regulations. For example, while there is currently no federal data privacy law, the California Consumer Protection Act (CCPA) requires that website Privacy Policies be “reasonably” accessible to individuals using screen-reading software and other tools to access a website. This is an important piece of this comprehensive data privacy legislation and while it doesn’t address the accessibility of the rest of a business’s website, making sure your digital tools, such as web forms for data subject rights, cookie consent banners, and other similar tools on your website, are accessible to the greatest number of users makes wise sense in the spirit of this regulation.  Additionally, with a new administration in the White House, anticipate that we may see federal legislation that clarifies clarify both data privacy and accessibility standards on a national level, which would make working towards compliance and avoiding predatory lawsuits easier for companies with an online presence.

What We’ve Learned About ADA Accessibility Claims

Practically speaking, it remains unclear what having an “accessible” website means. For this reason, a very high number of ADA cases filed against online businesses are quickly settled outside of court to avoid the expense of litigating in such uncertain terrain.   

Website and mobile app accessibility claims against businesses in a variety of sectors have become a familiar occurrence.  Most of these cases have similar allegations; a disabled individual argues that they encountered multiple access barriers that denied him/her full and equal access to the goods and services offered online by a company. In most of these cases, the plaintiff has attempted to leverage screen-reading software to access the website or mobile application and claims the platform is incompatible with the assistive technology they are using. 

Other commonly made claims include improperly labeled links and pages, inconsistent placement of on-page elements, like the shopping cart, and lack of image alt-text, title elements, and other features that help blind users navigate a website. Thus, the plaintiff argues, the business has violated Title III of the ADA and related state statute, entitling the plaintiff, among other things, to injunctive relief and attorneys’ fees.   

Practical Steps for Businesses

The sheer volume of settlement agreements and cases Beckage has worked on has exposed some common themes and provided valuable insights into how online businesses can proactively address website accessibility and minimize legal risk.  We recommend the following four-prong approach:  

  1. Consult with legal tech counsel, like Beckage, to evaluate litigation risk and regulatory compliance;
  2. Have your website or mobile app audited with the protection of attorney-client privilege or with a trusted third party vendor against the WCAG Level A and Level AA standards to determine what remediation is necessary to address any existing barriers and test your website using assistive technology, such as a screen reader, to be sure all barriers have been remedied.
  3. Publish a legally-reviewed Accessibility Statement on the forward-facing website and mobile application, and work to develop internal policies, procedures, and a training program that implement regular audit and assessment of accessibility; and
  4. Operationalize accessibility within your organization, prioritizing a top-down, multi-department approach throughout your organization to building accessibility.

Keeping in mind the end goals of improving usability for individuals with disabilities and avoiding frivolous lawsuits, businesses can arm themselves with a proper plan to address their online platforms’ accessibility. From our experience, a holistic approach to digital accessibility that understands how to bring together various stakeholders and decisions makers from throughout the organization as accessibility champions is the best way to operationalize accessibility.

With former web developers and technologists on staff, Beckage is well-suited to help businesses from all sectors and industries navigate the uncertain legal landscape surrounding website accessibility. Through collaborating with in-house technologists, outside vendors, members of the disability community, and internal assistive technologies, Beckage attorneys work under privilege to conduct internal and remedial audits of client websites and mobile applications, evaluate platform compatibility, and oversee implementation of recommended remedial or accessibility-enhancement measures.  Our team can help you develop and implement a sustainable accessibility program that contemplates compliance with the WCAG guidelines and other current and future website accessibility standards and best practices.

Subscribe to our newsletter.

*Attorney Advertising. Prior results do not guarantee similar outcomes.

Apple Privacy UpdateMobile App Developers Take Notice Of New Apple Privacy Requirements

Mobile App Developers Take Notice Of New Apple Privacy Requirements

Companies that have, or are in the process of developing, mobile applications that are connected to the Apple Store should be aware of recent privacy updates and should take steps to prepare your business for these new privacy requirements in 2021. 

Apple’s Announcement

Beginning on December 8, 2020, Apple will impose specific requirements for the disclosure of privacy practices for all applications on the product page in the Apple Store.  This change will help users understand an app’s privacy practices before they download the app on any Apple platform.  The App Store product page will now feature a new privacy information section to help users understand an app’s privacy practices, such as data collection practices, the types of data collection, the data linked to the user, user tracking, and privacy links.  More details about Apple’s announcement can be found at the privacy details page and additional guidance on how to provide app privacy information can be found in Apple’s App Store Connect.

In addition to providing information about some of your app’s data collection practices on your product page, on iOS 14, iPadOS 14, and tvOS 14, apps will be required to receive user permission (opt-in consent) to track users across apps or websites owned by other companies or to access the device’s advertising identifier. This change allows users to choose whether they permit an app to track them or access their device’s advertising identifier.

Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes.  Tracking also refers to sharing user or device data with data brokers.  To provide developers time to make necessary changes, apps will be required to obtain permission to track users starting early next year.  Additional guidance can be found at the Apple developer’s blog page.

What To Do Now

Businesses should take steps to make sure their current practices are legally compliant and address Apple’s new guidelines.

Now is an ideal time to work with your tech legal counsel to review your privacy policy and the App Store guidelines as well as applicable laws to confirm that the statements made throughout your policy are true and accurate representations of your data collection and sharing practices. Apps will need to create standardized privacy disclosures for the App Store to meet format and content requirements, but these responses should be carefully reviewed as not to conflict with any existing privacy statements.  Your internal business practices and collection protocols may change from time to time, which is why Beckage recommends an annual review of your privacy policy and related practices.  

Additionally, business should consult with their tech legal counsel to review and update consent language and disclosures for pop-up and any related consent forms that are utilized.  There may be specific regulatory or statutory requirements for obtaining consent through a mobile application that may need to be evaluated.  For example, although there are not currently opt-in requirements under the CCPA, there are specific requirements for consent under the GDPR and that may need to be met should the GDPR apply to your application.

Beckage lawyers have worked with numerous mobile app developers on privacy matters.   The Beckage team of lawyers is made up of technologists and certified privacy professionals who can help develop and review new and existing privacy policies to ensure compliance with Apple’s new privacy requirements. To reach a Beckage attorney, call 716.898.2102.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

0
Small BusinessData Breach Risks for Small & Medium Sized Businesses

Data Breach Risks for Small & Medium Sized Businesses

Today, small and medium sized businesses (SMBs) are sometimes at a greater risk of cyber-attacks and security breaches than large enterprises and corporations. Seventy-one percent of cyber-attacks happen at businesses with less than one hundred employees due to less secure networks, lack of time, budget constraints, and limited resources for proper security. Other factors, such as not having an IT network specialist, being unaware of risks associated with cyber security, lack of employee training on cyber security practices and protocols, failure to update security programs, outsourcing security, and failure to secure endpoints may play a role in the increased cyber-attacks on SMBs.

Common Cyber Attacks on SMBs:

  1. Advanced Persistent Threats. These are passive cyberattacks in which a hacker gains access to a computer or network over a long period of time with the intent to gather information.
  • Phishing. Criminals utilize phishing, via email or other communication methods, to induce users to perform a certain task. Once the target user completes the task, such as opening a link or giving personal information, the hacker can gain access to private systems or information.
  • Denial of Service Attacks (DoS, DDoS). Hackers will deny service to a legitimate user through specially crafted data that causes an error within the system or flooding that involves overloading a system so that it no longer functions. The hacker forces the user to pay a fee in order to regain working order of the system.
  • Insider Attacks. An insider attack may occur when employees do not practice good cyber safety resulting in stolen and/or compromised data.
  • Malware. Malware may be downloaded to the computer without the user knowing, causing serious data or security breaches.
  • Password Attacks. Hackers may use automated systems to input various passwords in an attempt to access a network. If successful in gaining network access, hackers can easily move laterally, gaining access to even more systems.
  • Ransomware. Ransomware is a specific malware that gathers and encrypts data in a network, preventing user access. User access is only restored if the hacker’s demands are met.

To help ensure your business is protected, it is important to know and understand the different ways hackers can gain access to a network and pose a threat to the data security of the business.

Some Ways SMEs Can Help Avoid Being a Victim of Cyber-Attacks

  1. Understand Legal Requirements

Often, SMBs are unaware of cybersecurity best practices, so they rely on vendors without first determining what their legal obligation is to have certain cybersecurity and data privacy practices in place. Some laws dictate what steps an organization are required to take. Thus, it is prudent for a company to develop a plan with legal counsel and then identify the ideal vendors to help execute that plan.

  • Use a Firewall

Firewalls are used to prevent unauthorized access to or from a private network and prevent unauthorized users from accessing private networks connected to the internet, especially intranets. The Federal Communications Commission (FCC) recommends all SMBs set up a firewall, both externally and internally, to provide a barrier between your data and cybercriminals.

  • Document Cybersecurity Policies

It is critical as a business to document your cybersecurity protocols. As discussed above, there may even be legal obligations to do so. There are many sources available that provide information on how to document your cybersecurity. The Small Business Administration (SBA) Cybersecurity portal provides online training, checklists, and information specific to protecting small businesses. The FCC’s Cyberplanner 2.0 provides a starting point for security documents and the C3 Voluntary Program for Small Businesses contains a detailed toolkit for determining and documenting the cybersecurity practices and policies best suited for your business.

  • Plan for Mobile Devices

With technology advancing and companies allowing employees to bring their own devices to work, it is crucial for SMBs to have a documented written policy that focuses on security precautions and protocols surrounding smart devices, including fitness trackers and smart watches. Employees should be required to install automatic security updates and businesses should implement (and enforce) a company password policy to apply to all mobile devices accessing the network.

  • Educate Employees on Legal Obligations and Threats

One of the biggest threats to data security is a company’s employees, but they also can help be the best defense. It is important to train employees on the company’s cybersecurity best practices and security policies. Provide employees with regular updates on protocols and have each employee sign a document stating they have been informed of the business’ procedures and understand they will be held accountable if they do not follow the security policies. Also, employees must understand the legal obligations on companies to maintain certain practices, including how to respond to inquiries the business may receive from customers about their data.

  • Enforce Safe Password Practices

Lost, stolen, or weak passwords account for over half of all data breaches. It is essential that SMB password policies are enforced and that all employee devices accessing the company network are password protected. Passwords should meet certain requirements such as using upper and lower-case letters, numbers, and symbols. All passwords should be changed every sixty to ninety days.

  • Regularly Back Up Data

It is recommended to regularly back up word processing documents, electronic spreadsheets, databases, financial files, human resource files, and accounts receivable/payable files, as well as all data stored on the cloud. Make sure backups are stored in a separate location not connected to your network and check regularly to help ensure that backup is functioning correctly.

  • Install Anti-Malware Software

It is vital to have anti-malware software installed on all devices and the networks. Anti-malware software can help protect your business from phishing attacks that install malware on an employee’s computer if a malicious link is clicked.

  • Use Multifactor Identification

Regardless of precautions and training, your employees will likely make security mistakes that may put data at risk. Using multifactor identification provides an extra layer of protection.

Both technology and cybercriminals are becoming more advanced every day. Cyber security should be a top priority for your SMB. The right technology experts can help identify and implement the necessary policies, procedures, and technology to protect your company data and networks.

Beckage is a law firm focused on technology, data security, and privacy. Beckage has an experienced team of attorneys, who are also technologists, who can help educate your company on the best practices for data security that will help protect you from any future cyber-attacks and data security threats.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Disinformation and Deep FakesThe Risks Associated with Disinformation and Deep Fakes

The Risks Associated with Disinformation and Deep Fakes

Disinformation is the deliberate spreading of false information about individuals or businesses to influence public perceptions about people and entities.  Computers that manipulate the media, known as deep fakes, advance the dangers of influenced perceptions.  Deep fakes can be photos, videos, audio, and text manipulated by artificial intelligence (AI) to portray known persons acting or speaking in an embarrassing or incriminating way.  With the advancements of deep fakes becoming more believable and easier to produce, disinformation is spreading at alarming rates.  Some risks that arise with disinformation include:

·       Damage to Reputation

Reputational damage targets companies of all sizes with rumors, exaggerations, and lies that harm the reputation of the business for economic strategy and gain. Remedying reputational damage may require large sums of money, time, and other resources to prove the media was forged.

·       Blackmail and Harassment

Photos, audio, and text manipulated by AI can be used to embarrass or extort business leaders, politicians, or public figures through the media.

·       Social Engineering and Fraud

Deep fakes can be used to impersonate corporate executives’ identities and facilitate fraudulent wire transfers.  These tactics are a new variation of Business E-mail Compromise (BEC), traditionally considered access to an employee or business associate’s email account by an impersonator with the intent to trick companies, employees, or partners into sending money to the infiltrator.

·       Credential Theft and Cybersecurity Attacks

Hackers can also use sophisticated impersonation and social engineering to gain informational technology credentials through unknowing employees.  After gaining access, the hacker can steal company data and personally identifiable information or infect the company’s system with malware or ransomware.

·       Fraudulent Insurance Claims

Insurance companies rely on digital graphics to settle claims, but photographs are becoming less reliable as evidence because they are easy to manipulate with AI.  Insurance companies will need to modify policies, training, practices, and compliance programs to mitigate risk and avoid fraud.

·       Market Manipulation

Another way scammers seek to profit from disinformation is through the use of fake news reports and social media schemes using phony text and graphics to impact financial markets.  Traders who use social post and headline-driven algorithms to make market decisions may find themselves prey to these types of schemes.  As accessibility to realistic but manipulated video and audio increases, these misperceptions and disinformation will become substantially more believable and difficult to correct.

·     Falsified Court Evidence

Deep fakes also pose a threat to the authenticity of media evidence presented to the court.  If falsified video and audio files are entered as evidence, they have the potential to trick jurors and impact case outcomes.  Moving forward, courts will need to be trained to scrutinize potentially manipulated media.

·     Cybersecurity Insurance

Cybersecurity insurance helps cover businesses from financial ruin but has not historically covered damages due to disinformation.  Private brands, businesses, and corporations should consider supplementing their current insurance policies to address disinformation to help protect themselves from risk.

Legal Options

There are legal avenues that can be pursued in responding to disinformation.  Deep fakes that falsely depict individuals in a demeaning or embarrassing way are subject to laws regarding defamation, trade libel, false light, violation of right of publicity, or intentional infliction of emotional distress if the deep fake contains the image, voice, or likeness of a public figure.  

Preventative Steps

Apart from understanding the risks associated with disinformation, companies can work to protect themselves from disinformation and deep fakes by:

1. Engaging in social listening to understand how a company’s brand is viewed by the public.

2. Assessing the risks associated with the business’ employed practices.

3. Registering the business trademark to have the protection of federal laws.

4. Having an effective incident response plan in the event of disinformation, deep fakes, or data breach to mitigate costs and prevent further loss or damage.

5. Communicating with social media platforms in which disinformation is being spread.

6. Speaking directly to the public, the media, and their customers via social media or other means.

7. Bringing a lawsuit into court if a business is being defamed or the market is manipulated.

What To Do When Facing Disinformation

If a business is facing disinformation, sophisticated tech lawyers can assist in determining rights and technological solutions to mitigate harm.  Businesses are not defenseless in the face of disinformation and deep fakes but should expand their protective measures to mitigate the risks associated.  

About Beckage

Beckage is a team of skillful technology attorneys who can help you protect your company from cyber attacks and defamation cause by disinformation and deep fakes. Our team of certified privacy professionals and lawyers can help you navigate the legal scope of the expanding field of disinformation.

*Attorney Advertising.  Prior results do not guarantee similar outcomes.*

Subscribe to our newsletter.

WorkplaceLegal Strategies When Executing a Distributed Workforce Strategy

Legal Strategies When Executing a Distributed Workforce Strategy

In a short period there has been a monumental push for remote working arrangements by almost every existing organization. As a result of the Coronavirus outbreak, our calendar has been filled with appointments to discuss the practical considerations and steps that every leadership team is facing, from executive to technology, including application and business stakeholders. This incident has brought on evaluations of an organization’s readiness through the lens of business continuity, incident response, and more expansive administrative, technical, and physical safeguards.

While not exhaustive, below is a list of some areas to consider in executing a distributed workforce strategy:

Principle of Least Privilege – Has the organization operationalized a principle of least privilege? Does this extend to your remote access management? Opening the floodgates to all end users at once is neither practical nor safe. Discuss a tiered approach and where preventative controls are not possible or practical, implement detective controls. This would look like automated log management, reviews, and analytics to identify anomalous behavior on networks or systems that are classified as mission critical or that handle the most critical data. Take a risk based approach to identity access management and consider a more restrictive policy, you can remind your user base this is a temporary measure. From a security perspective, your objective is to narrow the threat surface; remember the security triad -Confidentiality, Integrity and Availability.  

Remote Desktop Protocol –  Now is the time to check your remote access configurations. We are sure to see a significant uptick in cyber incidents exploiting enabled ports that are commonly used for remote access, this is the point that is frequently the way of entry for ransomware attacks. Audit your network and if you haven’t already, identify servers and devices with ports 22 (SSH), 23 (Telnet), and 3389 (RDP) enabled. Once identified, and where permitted based on your unique circumstances, immediately close port 23 on all systems as well as any unnecessary SSH and RDP ports. It was only a year ago we witnessed Bluekeep, the security vulnerability that allowed for remote code execution through RDP.  

Data in Transit and At-Rest – Revisit your organization’s encryption standards as they apply to data in transit and at rest. With an expanded workforce now remote and handling sensitive and non-public data, an encrypted data at rest conversation should be at the top of your discussion list. The NY SHIELD Act, which became effective March 21st, expands upon the definition of private information to include personal information in combination with various listed data elements (refer to NY Senate Bill S5575B) that “were not encrypted” or “was encrypted with an encryption key that was accessed or acquired.” For financial institutions the FFIEC, which prescribes uniform principles and standards, states that institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.

Password Strength and Two-Factor Authentication – Replace any default or weak login credentials with passphrases. Roughly two years ago the National Institute of Standards and Technology (NIST) published a guidance on this and organizations have been slow to adopt passphrases in place of their typical 8 character passwords. Now is a good time to implement passphrases and communicate this as a necessary response to the recent distributed workforce requirement. Similarly, you should also consider revisiting screensaver and session lockout times, remember, this is about narrowing the threat surface. If you can shorten these times by 5 minutes, the compounding effect across say, 1,000 employees, could be 5,000 minutes of time or 83 hours. That’s 83 hours less time a bad actor has to compromise your devices. In addition, consider looking at failed login attempt configurations, you can adjust this setting to lock an account on less attempts than usual. This can be a temporary measure until your workforce return to the office setting.

Communication – The question which has come up the most has been regarding communication while working remote. Workforce will need to be informed as they transition to remote. Organizations will need to remind their workforce of what is expected of them as it pertains to policies such as acceptable use, BYOD, information security, business continuity, disaster recovery, and incident response. Similarly, the workforce should also be reminded of safe security practices in the home (for example, when was the last time they updated their router firmware?) While company-wide communications will be necessary, tailored communications to various departments may be equally important. For example, the Incident Response Team leader should communicate regularly with all stakeholders. They will need to review the Incidence Response Plan to evaluate whether the procedures have limitations based on physical proximity of all parties with responsibilities. Likewise, physical security may have unique requirements since the offices will largely be empty.  

The push to remote work has forced organizations to revisit their control environments, operational workflows, and technical capabilities. This is an exercise that requires input and coordination across the organization and highlights the importance of a policy governance structure.  

Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to the Beckage Blog and Newsletter

1 2