Digital Accessibility & Data Security Consulting

Most organizations can’t find the balance between security and their bottom line.
And don’t know why.

I’m a Data Security Engineer with over 10 years in security and 20 in technology. I’ve worked inside Fortune 500 organizations and small businesses. In every one of them, the security and compliance failures traced back to the same place — communication, starting at the top. UMN Consulting identifies what’s actually broken and tells you the truth about it. Not what you want to hear. What you need to hear.

Request an Assessment How we work →
3,117 federal web accessibility lawsuits in 2025 — up 27% year over year
30% of accessibility failures are caught by automated tools — the rest require manual testing
May 2027 HHS Section 504 deadline for healthcare — not extended alongside the DOJ Title II delay
29 min average attacker breakout time in 2026 — fastest observed at 27 seconds

The Real Problem

The compliance gap isn’t technical. It’s organizational.

Security and accessibility failures have the same root cause in almost every organization I’ve assessed: the people inside it are not operating in cohesion. IT speaks one language. Security speaks another. HR, finance, and leadership each have their own. Policies speak a fourth language that doesn’t map to any of them — and rarely provide enough context for someone outside the team that wrote them to understand what’s actually required.

This plays out on both sides of the organization. Externally: if customers or B2B partners can’t navigate your site, can’t find what they need, or can’t complete a transaction — the relationship breaks down. That’s not just a revenue problem. The information that didn’t reach them, or didn’t come back to you, was often information that needed to move. Inaccessible means unusable. Unusable means ignored. Ignored means exploitable.

Internally: when people don’t have the shared context to understand expectations, they can’t meet them. Tools purchased to solve real problems don’t get used the way they were designed — because the common understanding required to use them correctly was never established. That’s a bottom-line problem, a security problem, and a compliance problem simultaneously.

Organizations that treat compliance as a public-facing checkbox never see this layer. The liability lives here. And the deadlines below are the external pressure — but the internal fragmentation is what determines whether you can actually meet them.

Healthcare

HHS Section 504 — WCAG 2.1 AA Required

Hospitals, health systems, patient portals, telehealth platforms, and any organization receiving HHS federal financial assistance must conform. This deadline was not extended alongside the DOJ Title II delay. Healthcare carries dual exposure: federal enforcement and private ADA litigation simultaneously.

Deadline: May 11, 2027

Government & Higher Education

ADA Title II — DOJ Final Rule

State and local governments — including public universities, courts, school districts, and municipal agencies — must meet WCAG 2.1 AA for all web content, mobile apps, digital documents, and online course materials. The deadline was extended but the obligation was not. Procurement vendors selling into these entities are also in scope.

Large entities: April 26, 2027  |  Smaller entities: April 26, 2028

Private Sector

ADA Title III — Litigation Is Not Waiting

Private businesses have no explicit federal technical standard yet — but courts consistently apply WCAG 2.1 AA. Settlements routinely reach six figures plus mandatory remediation. Nearly half of all 2025 federal cases involved companies that had already been sued at least once before. The extension of government deadlines has no effect on private litigation.

No deadline. Active litigation now.

EU-Connected Organizations

European Accessibility Act

The EAA came into force June 28, 2025 for organizations operating in the European Union. B2G vendors — companies supplying software or services to government entities — must ensure WCAG 2.1 AA compliance in their products. One compliance program covers both US and EU requirements.

In force: June 28, 2025

How We Work

Every engagement is scoped, contracted, and delivered as a discrete piece of work.

Each engagement has a defined scope, a signed contract, and a specific deliverable. Scope does not change or expand unless a technical constraint makes the original goal unachievable. You know what you’re getting before work begins. Fees vary by engagement type — assessment and verification work is project-based; monitoring is retainer-based. No published rate cards. Every scope is different.

Engagement 01

Assessment

We assess your digital surfaces against the applicable standard — WCAG 2.1 AA for accessibility, or NIST 800-53, CMMC, SOC2, HIPAA, or HiTrust for security. Assessment includes both automated scanning and manual testing. Automated tools catch at most 30% of accessibility failures. The other 70% require a human examiner who knows what to look for.

For accessibility assessments, we test against both standard and neurodivergent use cases. An estimated 15 to 20 percent of the population is neurodivergent. If your digital environment doesn’t work for them, you have a compliance gap and a user gap simultaneously.

Deliverable: Findings report — every gap identified, mapped to the applicable standard, with severity and priority ratings.

Engagement 02

Remediation Guidance

The assessment report tells you what is wrong. The remediation guidance tells you how to fix it. This is a separate engagement scoped after you’ve reviewed the assessment findings and decided which gaps to address and in what order.

Your team does the remediation work. We provide the specific, actionable guidance they need to do it correctly. Vague recommendations that require interpretation are not guidance — they are another communication gap. We do not produce those.

Deliverable: Prioritized remediation roadmap with specific, actionable recommendations mapped to each finding.

Engagement 03

Verification & ACR / VPAT

Once your team has addressed the findings, we retest to confirm the remediations were implemented correctly and the gaps are closed. Verification is not a formality — it is the step that confirms the work actually happened and is producing the intended result.

For organizations selling into government, education, or enterprise procurement, we produce an Accessibility Conformance Report (ACR) using the standard VPAT template — the document procurement officers require to verify WCAG compliance before approving a vendor.

Deliverable: Verification report confirming remediation status. Optional: completed ACR / VPAT for procurement use.

Engagement 04 — Retainer

Periodic Retesting

Digital environments change. New content gets added. Systems get updated. Policies change. Each change is an opportunity to introduce new gaps. Periodic retesting on a defined cadence catches what slips through between full assessment cycles.

Each retesting cycle produces an updated findings report. Over time, the number of findings in each cycle should decrease — that’s the measure of a maturing program.

Deliverable: Updated findings report each cycle. Cadence defined at contract.

Engagement 05 — Retainer

Advisory

Ongoing access to ask questions and get answers before something gets built or deployed incorrectly. The advisory retainer is preventive — it is the accessibility and security lens applied to your work in progress, before gaps are introduced rather than after they’re discovered.

Organizations running both the retesting and advisory retainers simultaneously tend to see fewer findings over time. Prevention costs less than remediation.

Ongoing access. No per-question billing. Cadence and scope defined at contract.

A note on scope: UMN Consulting provides assessment, advisory, and remediation guidance. Remediation work is performed by your team. We identify what is wrong, tell you how to fix it, and verify that the fix was implemented correctly. We do not certify compliance outcomes or guarantee audit results — compliance determinations are made by the relevant regulatory body or auditor. What we guarantee is an honest assessment of where you actually stand.

What Makes This Different

Most audits stop at the front door. The exposure doesn’t.

I’ve been inside the organizations that bought the right tools, hired the right teams, and still got it wrong. The pattern is consistent: four layers fail simultaneously — governance sets the wrong requirements, leadership approves inadequate solutions, technical teams implement what they’re given, and process never defines what adequate actually means. No single layer sees the full picture. That’s the assessment most firms aren’t equipped to deliver.

Hard truths, not comfortable reports

If your security theater is passing audits while your actual posture is deteriorating, I’ll tell you that. The checkbox was ticked. The exposure remains. Organizations hire me to find what’s actually wrong — not to produce documentation that confirms what they hoped to hear.

Both surfaces, not just the public one

Most accessibility firms audit your website and stop. Most security firms assess your perimeter and stop. Internal communication failures — ambiguous policies, inaccessible tools, fragmented departmental language — are where compliance breaks down in practice. That’s the layer we assess.

Neurodivergent use cases are not optional

An estimated 15 to 20 percent of the population is neurodivergent. Standard automated testing doesn’t test for how they experience your environment. We do. That’s not an accommodation — it is the more complete diagnostic. And it catches failures that the standard testing misses entirely.

Accessibility and security through the same lens

Inaccessible means unusable. Unusable means ignored. Ignored means exploitable. AI can now find ambiguity and weaponize it before a human examiner notices it. The organizations that treat accessibility and security as separate programs are managing two incomplete pictures of the same problem.

Independent assessment is the product

Large consulting firms are structurally prevented from delivering honest assessments — their revenue model depends on client comfort and continued engagement. Independence is not a business model detail. It is what makes an honest diagnosis possible.

System-level thinking across 20 years

Fortune 500 organizations and small businesses fail at security for the same structural reasons. I bring the cross-domain pattern recognition that comes from having assessed both — and from understanding how the connections between governance, communication, technology, and human behavior produce predictable outcomes.

Get in Touch

Tell us where you are. We’ll tell you what it costs to wait.

Whether you’re working against a regulatory deadline, responding to a complaint, or doing a proactive assessment before a problem finds you — the first conversation is about understanding your situation honestly.

We work with healthcare organizations, educational institutions, government agencies, and private enterprises. There is no minimum size. There is no sector we haven’t seen fail for the same reasons.

Prefer to reach us directly:

consulting@unmaskingneurons.com

Request a Compliance Assessment

We respond within one business day. Your information is never shared with third parties.