Winn-Dixie Case Puts Spotlight on Website Accessibility/Compliance
A much-anticipated ruling on website accessibility has been issued out of the Southern District of Florida. The ruling in Juan Carlos Gil v. Winn-Dixie Stores (case no. 16-23020-civ-Scola; S.D. FL 2017) requires the attention of businesses across the country that host websites.
To recap, this was a case of first impression. After a two-day non-jury trial, the Honorable Judge Robert Scola determined that Winn Dixie’s website operates as a “gateway” to its physical store locations, and therefore is required to be accessible to individuals with disabilities. The Court determined that “[t]he services offered on Winn-Dixie’s website, such as the online pharmacy management system, the ability to access digital coupons that link automatically to a customer’s rewards card, and the ability to find store locations, are undoubtedly services, privileges, advantages, and accommodations offered by Winn-Dixie’s physical store locations.”
Commentary to the Court’s decision has focused mainly on two portions of the decision: (1) having an inaccessible website violates Title III of the ADA; and (2) a business is required to make its website accessible even though it is a fact that, the Department of Justice has never promulgated enforceable regulations. Instead, DOJ has relied upon the Web Accessibility Initiative (WAI) of the World Wide Web Consortium (W3C) to shape this guidance known as, Web Content Accessibility Guidelines (WCAG).
While this opinion is the first of its kind, the ruling also addresses an important issue: specifically, ADA liability arising from third party links featured on a website. While we agree with commentary to date, we believe this third issue has not received the attention it deserves.
In the Winn-Dixie case, the Court ruled that WCAG 2.0 AA were the guidelines Winn Dixie was required to follow. Conversely, in March, a federal court in California struck down Web accessibility claims where the plaintiff attempted to use WCAG 2.0 as an appropriate standard to make a website accessible.
In Robles v. Domino’s Pizza (No. cv-106599; C.D. Cal 2017) the court held that forcing Domino’s to impose a standard to website accessibility in the absence of regulations “flies in the face of due process.” Winn-Dixie not only holds that WCAG 2.0 is the standard to follow, but also requires website audits reoccur every three months to ensure compliance.
Vendors and Compliance
It is a common practice for businesses to host links on their websites that connect them to partners, vendors, or other third parties. The Court’s ruling this week suggests that even if a business hosts a compliant website, it may be held liable for noncompliance under Title III of the ADA, if it links up to websites that are inaccessible.
The Court in Winn Dixie ruled that “[t]here are 6 different third parties . . . who interface with Winn Dixie’s website so Winn-Dixie needs to make sure that those third parties also make sure that their websites are accessible” and “[t]he Court also finds that the fact that third party vendors operate certain parts of the Winn-Dixie website is not a legal impediment to Winn-Dixie’s obligation to make its website accessible to the disabled. First, many, if not most, of the third party vendors may already be accessible to the disabled and, if not, Winn-Dixie has a legal obligation to require them to be accessible if they choose to operate within the Winn-Dixie website.” This language suggests that an operator or owner of an accessible website may face liability for the noncompliance of vendors that it features through its links.
Advocates may welcome these developments, but businesses should beware. Although this opinion is not binding on other courts, businesses with websites available to the public, may want to consider the following items:
• A Web accessibility plan should be a priority. The Court in the Winn-Dixie case took note that a plan was not in place at Winn Dixie prior to the filing of the lawsuit.
• For companies that have compliant websites, it should be noted that, if they are going to provide a link to another business there should be some effort to confirm the link is to an accessible website.
• Businesses should consider the best practices in the industry, and inquire as to whether their prospective vendor or business partner comply.
• You should also make sure your contracts with your vendors and partners provide provisions to protect your company against website accessibility lawsuits.
This type of litigation is on the rise and will likely have a record year. Until the DOJ issues permanent regulations, there is no end in sight for these types of actions, and businesses need to remain vigilant in their compliance efforts.
Carol Lumpkin and Stephanie Moot are partners, and Shawn Hogue is an associate at K&L Gates’ Miami office, where they counsel and represent clients in connection with the firm’s litigation practice.
Deloitte: Retailers have false sense of cyber-security
A majority of companies, including retailers, are confident about cyber-security, but their confidence may not be justified.
That’s according to “Cyber Risk in Consumer Business,” a report from Deloitte. The report is based on input from more than 400 CIOs, CISOs, CTOs and other senior executives.
According to the study, more than three-quarters (76%) of consumer business executives are highly confident in their ability to respond to a cyber incident. Yet, many face issues that critically impair their ability to do so.
For example, a majority of executives surveyed (82%) indicated their organization has not documented and tested cyber response plans involving business stakeholders within the past year. Less than half (46%) said their organization performs war games and threat simulations on a quarterly or semiannual basis. One quarter (25%) reported a lack of cyber-funding, while roughly one in five (21%) lack clarity on cyber mandates, roles and responsibilities.
“In the study, we found that just 30% to 40% of companies currently investing in platforms, such as consumer analytics, cloud integration, connected products and mobile payments have mature programs in place to address related risks,” said Barb Renner, vice chairman, Deloitte LLP and U.S. consumer products leader.
“Many of these technologies involve a broad set of data types that could expose consumers to much more than stolen credit cards and identity theft,” she added. “Beyond customer data, the risks can range from protecting food safety in manufacturing and supply chains to intellectual property of new products and formulas. Allowing cyber response planning to lag can undercut the upside of investments in advanced digital technologies. It can become a one step forward, two steps back proposition to pursue advanced technologies without equal attention to cyber threats.”
Companies may also underestimate the importance of consumer trust. When thinking about potential cyber incidents, consumer product companies surveyed seem to be primarily concerned with production disruptions (48%) and loss of intellectual property (42%), while 16% are concerned with tarnishing brand perceptions related to trust.
Many U.S. consumers already express heightened security concerns, with a startling number going so far as to delete mobile applications and avoid websites, which can threaten a critical engagement touchpoint for consumer businesses. In 2016, roughly 80% of U.S. consumers felt they have lost control over how their personal information was being used by companies.
“News of breaches cannot only threaten sales of a particular product or brand, but can tarnish broader perceptions consumers have toward connected products in general — jeopardizing billions in future sales growth,” added Renner.
Another potential risk and reward scenario accompanies the interactions between customers and consumer businesses: connected products. These devices may increase the points of entry, opening the door to cyber breaches that can arise anywhere across the entire connected ecosystem, including consumers and third-party vendors.
Among executives surveyed, 32% are not confident their cyber risk management program is effective in maintaining their strategy to develop and market connected products. Their concerns don’t stop there. Changing regulatory requirements are the top concern of 74% of those who deploy connected products, followed by intellectual property theft (71%) and theft of consumer information (66%).
“With less than one-third of companies believing their cyber risk management is effective when it comes to developing connected products, we believe the principle of ‘security by design’ can be an effective strategy,” said Sean Peasley, Deloitte & Touche LLP and cyber risk services consumer and industrial products leader. “By embedding security considerations further upstream in the development process, connected products can be more resilient to cyber threats enabling them to not only make it to market, but stay on the market, potentially avoiding costly and time-consuming recalls and regulatory delays.”
And the top data concern of late: intellectual property. Second only to financial theft, this rising concern is generally mirrored across consumers businesses. To date, IP theft has largely remained in the shadows of more familiar cyber-crimes, such as theft of credit cards and other personally identifiable information, the study said.
Retailers losing billions to inventory shrink
The nation's retailers lost a staggering amount of money in 2016 due to shoplifting, organized crime, internal theft and other types of inventory shrink.
Inventory shrink totaled $48.9 billion in 2016, up from $45.2 billion the year before, as budget constraints left retail security budgets flat or declining, according to the annual National Retail Security Survey by the National Retail Federation and the University of Florida. The thefts amounted to 1.44% of sales, up from 1.38%.
According to the study, which was sponsored by The Retail Equation, 48.8% of retailers surveyed reported increases in inventory shrink, and 16.7% said it remained flat. Shoplifting and organized retail crime accounted for 36.5% of shrink, followed by employee theft/internal (30%), administrative paperwork error (21.3%) and vendor fraud or error (5.4%).
Shoplifting continued to account for the greatest losses of overall shrink. Shoplifting averaged $798.48 per incident, up from $377 in 2015. The rise was partially attributed to retailers allocating smaller budgets for loss prevention, leaving them with fewer security staff to fight theft, the report said.
The average loss due to employee theft per incident was put at $1,922.80, up from $1,233.77 in 2015. The average cost of retail robberies dropped to $5,309.72 from $8,170.17 in 2015, but remained at more than double the $2,464.50 seen in 2014.
For the first time in the survey, retailers were asked about return fraud, reporting an average loss of $1,766.27.
“Retailers are proactive in combatting criminal activity in their stores but acknowledge that they still have a lot of work left to do,” said NRF VP of loss prevention Bob Moraca. “The job is made much more difficult when loss prevention experts can’t get the money they need to beef up their staffs and resources. Retail executives need to realize that money spent on preventing losses is money that improves the bottom line.”