Audit of the Division of Insurance Overview of Audited Entity

The Division of Insurance (DOI), located at 1000 Washington Street in Boston, was established in accordance with Chapter 26 of the Massachusetts General Laws and is one of five agencies overseen by the Office of Consumer Affairs and Business Regulation. DOI operates under the direction of the commissioner of insurance, who is appointed by the Governor.

DOI’s mission is to regulate the Commonwealth’s insurance industry, including but not limited to its domestic¹ and foreign² insurers, business entities, health maintenance organizations, insurance producers, and brokers. Additionally, DOI intervenes on behalf of Massachusetts residents who believe they have been victimized by unfair business practices. As of April 2019, there were approximately 1,800 insurers conducting business in the Commonwealth.

According to DOI’s website,

The DOI monitors financial solvency, licenses insurance companies and producers, reviews and approves rates and forms, and coordinates the takeover and liquidation of insolvent insurance companies and the rehabilitation of financially troubled companies. We also investigate and enforce state laws and regulations pertaining to insurance and respond to consumer inquiries and complaints.

DOI employed 116 full-time employees as of December 31, 2022. This included attorneys, actuaries, accountants, insurance examiners, and support employees. DOI’s state appropriations for fiscal years 2021, 2022, and 2023 were $15.6 million, $15.6 million, and $16.3 million, respectively.

In 1999, the World Wide Web Consortium (W3C), an international nongovernmental organization responsible for internet standards, published the Web Content Accessibility Guidelines (WCAG) 1.0 to provide guidance on how to make web content more accessible to people with disabilities.

In 2005, the Massachusetts Office of Information Technology,³ with the participation of state government webpage developers, including developers with disabilities, created the Enterprise Web Accessibility Standards. These standards required all executive branch agencies to follow the guidelines in Section 508 of the Rehabilitation Act amendments of 1998. These amendments went into effect in 2001 and established precise technical requirements to which electronic and information technology (IT) products must adhere. This technology includes, but is not limited to, products such as software, websites, telecommunications, multimedia products, and certain physical products, such as standalone terminals.

In 2008, W3C published WCAG 2.0. In 2014, the Massachusetts Office of Information Technology added a reference to WCAG 2.0 in its Enterprise Information Technology Accessibility Standards.

In 2017, the Executive Office of Technology Services and Security (EOTSS) was designated as the Commonwealth’s lead IT organization for the executive branch. EOTSS is responsible for the development and maintenance of the Enterprise Information Technology Accessibility Standards and the implementation of state and federal laws and regulations relating to accessibility. As the principal executive agency responsible for coordinating the Commonwealth’s IT accessibility compliance efforts, EOTSS supervises executive branch agencies in their efforts to meet the Commonwealth’s accessibility requirements.

In 2018, W3C published WCAG 2.1, which built on WCAG 2.0 to improve web accessibility on mobile devices and to further improve web accessibility for people with visual impairments and cognitive disabilities. EOTSS published the Enterprise Information Technology Accessibility Policy in 2021 to meet Levels A and AA of WCAG 2.1.

Timeline of the Adoption of Website Accessibility Standards by the Federal Government and Massachusetts

While EOTSS establishes standards for executive branch agencies, individual agencies, such as DOI, are responsible for ensuring that their IT solutions and web content fully comply with EOTSS’s accessibility standards. The organization chart below shows the structure of EOTSS and other executive branch agencies. When publishing digital content to Mass.gov or other platforms, state agencies must comply with EOTSS’s Web Design Guidelines, which were published in 2020 based on the federal 21st Century Integrated Digital Experience Act. This law helps state government agencies evaluate their design and implementation decisions to meet state accessibility requirements.

Organization of Information Security for the Commonwealth⁴
 

Government websites are an important way for the general public to access government information and services. Deloitte’s⁵ 2023 Digital Citizen Survey found that 55% of respondents preferred to interact with their state government services through a website instead of face-to-face interaction or a call center. According to the analytics dashboard for Mass.gov, Commonwealth of Massachusetts websites had a total of 17,771,709 page views in December 2022 alone.

However, people do not interact with the internet uniformly. The federal government and nongovernmental organizations have established web accessibility standards intended to make websites more accessible to people with disabilities, such as visual impairments, hearing impairments, and other disabilities. The impact of these standards can be significant, as the federal Centers for Disease Control and Prevention estimates that 1,348,913 adults (23% of the adult population) in Massachusetts have a disability, as of 2021.

According to W3C, people with disabilities use assistive technologies and adaptive strategies specific to their needs to navigate web content. Examples of assistive technologies include screen readers, which read webpages aloud for people who cannot read text; screen magnifiers for individuals with low vision; and voice recognition software for people who cannot (or do not) use a keyboard or mouse. Adaptive strategies refer to techniques people with disabilities employ to enhance their web interaction.⁶ These strategies might involve increasing text size, adjusting mouse speed, or enabling captions.

To make web content accessible to people with disabilities, developers must ensure that various components of web development and interaction work together. This includes text, images, and structural code; users’ browsers and media players; and various assistive technologies.

Common Accessibility Features of a Website
 

IT governance refers to the processes that state agencies use to manage their IT resources. EOTSS documents these processes in standards that it requires all executive agencies follow and recommends for all other state agencies. Specifically, Section 2 of Chapter 7D of the General Laws states,

Notwithstanding any general or special law, rule, regulation, executive order, policy or procedure to the contrary, all executive department agencies shall, and other state agencies may, adhere to the policies, procedures and objectives established by the executive office of technology services and security with respect to activities concerning information technology.

IT governance processes include business continuity and disaster recovery, information security incident management, and cybersecurity awareness training.

Business Continuity and Disaster Recovery

EOTSS’s Business Continuity and Disaster Recovery Standard IS.005 requires each executive branch agency to develop and maintain business continuity and disaster recovery plans. These plans ensure that agencies have procedures to protect their information assets, recover critical operations, and reduce risks from a potential disruption or disaster.

Information Security Incident Management

EOTSS’s Information Security Incident Management Standard IS.009 requires executive branch agencies to document procedures and establish a plan for responding to security incidents, like a cyberattack, to limit further damage to the Commonwealth’s information assets once a security event is identified.

Cybersecurity Awareness Training

EOTSS has established policies and procedures that apply to all Commonwealth agencies within the executive branch. EOTSS recommends, but does not require, non-executive branch agencies to follow these policies and procedures. Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010 states,

The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets. Commonwealth Offices and Agencies must ensure that all personnel are trained on all relevant rules and regulations for cybersecurity.

To ensure that employees are clear on their responsibilities, EOTSS’s policies require that all employees in state executive branch agencies complete a cybersecurity awareness training every year. All newly hired employees must complete initial security awareness training within 30 days of their orientation.