Audit of the Office of Consumer Affairs and Business Regulation Overview of Audited Entity

The Office of Consumer Affairs and Business Regulation (OCABR) is located at 1 Federal Street in Boston and was established by Chapter 24A of the Massachusetts General Laws. OCABR operates under the direction of its secretariat, the Executive Office of Economic Development, and is headed by a director who is appointed by the Governor.

According to its website, OCABR “protects and empowers consumers through advocacy and education, and ensures a fair playing field for the Massachusetts businesses its agencies regulate.” Website accessibility is also important to achieving OCABR’s mission.

OCABR oversees five regulatory agencies that license various companies and individuals throughout Massachusetts: the Division of Banks, the Division of Insurance, the Division of Occupational Licensure, the Division of Standards, and the Department of Telecommunications and Cable.OCABR also oversees the state’s lemon laws¹ and lemon law arbitration², data breach reporting, home improvement contractor programs, and the Commonwealth’s Do Not Call registry³..

OCABR’s state appropriations for fiscal years 2022 and 2023 were $1,804,849 and $2,099,525, respectively. OCABR employed 52 personnel during the audit period.

In 1999, the World Wide Web Consortium (W3C), an international nongovernmental organization responsible for internet standards, published the Web Content Accessibility Guidelines (WCAG) 1.0 to provide guidance on how to make web content more accessible to those with disabilities.

In 2005, the Massachusetts Office of Information Technology,⁴ with the participation of state government webpage developers, including developers with disabilities, created the Enterprise Web Accessibility Standards. These standards required all state executive branch agencies to follow the guidelines in Section 508 of the Rehabilitation Act amendments of 1998. These amendments went into effect in 2001 and established precise technical requirements to which electronic and information technology (IT) products must adhere. This technology includes, but is not limited to, products such as software, websites, multimedia products, and certain physical products, such as standalone terminals.

In 2008, W3C published WCAG 2.0. In 2014, the Massachusetts Office of Information Technology added a reference to WCAG 2.0 in its Enterprise Information Technology Accessibility Standards.

In 2017, the Executive Office of Technology Services and Security (EOTSS) was designated as the Commonwealth’s lead IT organization for the executive branch. EOTSS is responsible for the development and maintenance of the Enterprise Information Technology Accessibility Standards and the implementation of state and federal laws and regulations relating to accessibility. As the principal executive agency responsible for coordinating the Commonwealth’s IT accessibility compliance efforts, EOTSS supervises executive branch agencies in their efforts to meet the Commonwealth’s technology accessibility requirements.

In 2018, W3C published WCAG 2.1, which built on WCAG 2.0 to improve web accessibility on mobile devices and to further improve web accessibility for people with visual impairments and cognitive disabilities. EOTSS published the Enterprise Information Technology Accessibility Policy in 2021 to meet Levels A and AA of WCAG 2.1.

Timeline of the Adoption of Website Accessibility Standards by the Federal Government and Massachusetts

While EOTSS establishes standards for executive branch agencies, individual agencies, such as OCABR, are responsible for ensuring that their IT solutions and web content fully comply with EOTSS’s accessibility standards. When publishing digital content to Mass.gov or other platforms, state agencies must comply with EOTSS’s Web Design Guidelines, which were published in 2020 based on the federal 21st Century Integrated Digital Experience Act. EOTSS’s Web Design Guidelines help state government agencies evaluate their design and implementation decisions in meeting state accessibility requirements.

Government websites are an important way for the general public to access government information and services. Deloitte’s⁵ 2023 Digital Citizen Survey found that 55% of respondents preferred to interact with their state government services through a website instead of face-to-face interaction or a call center. Commonwealth of Massachusetts websites have millions of webpage views each month.

However, people do not interact with the internet uniformly. The federal government and nongovernmental organizations have established web accessibility standards intended to make websites more accessible to people with disabilities such as visual impairments, hearing impairments, and others. The impact of these standards can be significant, as the federal Centers for Disease Control and Prevention estimates that 1,348,913 adults (23% of the adult population) in Massachusetts have a disability, as of 2021.

According to W3C, people with disabilities use assistive technologies and adaptive strategies specific to their needs to navigate web content. Examples of assistive technologies include screen readers, which read webpages aloud for people who cannot read text; screen magnifiers for individuals with low vision; and voice recognition software for people who cannot (or do not) use a keyboard or mouse. Adaptive strategies refer to techniques that people with disabilities employ to enhance their web interaction.⁶ These strategies might involve increasing text size, adjusting mouse speed, or enabling captions.

To make web content accessible to people with disabilities, developers must ensure that various components of web development and interaction work together. This includes text, images, and structural code; users’ browsers and media players; and various assistive technologies.

Accessibility Features of a Website

IT governance refers to the processes that state agencies use to manage their IT resources. EOTSS documents these processes in standards that executive branch state agencies are required to follow. Specifically, Section 2 of Chapter 7D of the General Laws states,

Notwithstanding any general or special law, rule, regulation, executive order, policy or procedure to the contrary, all executive department agencies shall, and other state agencies may, adhere to the policies, procedures and objectives established by the executive office of technology services and security with respect to activities concerning information technology.

IT governance processes include information classification, information disposal, information system classification, and the restriction of information access.

EOTSS Asset Management Standard IS.004⁷ requires that state agencies establish classification or sensitivity levels for all of the information in their custody. These classification levels are meant to ensure that information is protected in line with its value. EOTSS’s Asset Management Standard IS.004 lists three levels of classification: public, internal use, and confidential.

The public classification involves information that is viewed by the public (e.g., press releases, information on public-facing websites, or advertising for services). The internal use classification involves information that does not reach the level of confidential but should not be viewed by the public (e.g., internal training materials or policies). The confidential classification is the highest level and involves information that should only be accessed by personnel members who need the information to perform their job duties (e.g., personnel performance documentation, personally identifiable information (PII), federal tax information, or passwords). Confidential information is sensitive by nature and could cause damage to the Commonwealth and its residents if it is compromised.

EOTSS Asset Management Standard IS.004 requires that all executive branch state agencies establish information disposal procedures for information in their custody. Section 6.4.2.4 of this standard states that each agency must “Identify and securely delete stored information that exceeds defined retention periods on a quarterly basis.” Information disposal reduces the risk of data becoming compromised by limiting the amount of data that could potentially be stolen. Additionally, specific types of information (e.g., tax data) are subject to state retention schedules with which agency policymakers must comply.

EOTSS Asset Management Standard IS.004 requires that all executive branch state agencies perform a business impact analysis⁸ or risk assessment⁹ in order to classify their information systems. Classifying information systems promotes a consistent approach to risk management and disaster recovery. Information systems classifications are separated into the following four levels:

• low: public information;
• medium: internal use information;
• high: confidential information or business support systems (e.g., email); and
• critical: information with regulatory requirements (e.g., information involving the Health Insurance Portability and Accountability Act or federal taxes).

Information systems contain diverse arrays of data, all of which should be classified in order to better protect the data within. If an information system is not properly classified, the data within can become vulnerable.

EOTSS Asset Management Standard IS.004 requires that all executive branch state agencies restrict access to confidential information to a narrow subset of personnel members who have a business need to access said information. Specifically, this policy lists PII as confidential information that an agency may have in its custody. Limiting access to PII prevents it from being used in a way that could cause harm to the Commonwealth and its residents, business partners, and customers.