News

N.Y. County Enacts Wireless Security Law

Westchester County on Thursday enacted a law that is designed to limit identity theft by forcing local businesses to install basic security measures for any wireless network that stores customers' credit card numbers or other financial information.

The law also requires that businesses offering Internet access -- coffeehouses and hotels, for example -- post signs warning that users should have firewalls or other security measures.

As he signed the bill, County Executive Andrew Spano said the county had been unable to find any law like it in the country and had received inquiries about the legislation from other states and from Great Britain, South Korea and the Czech Republic.

"There are many unsecured wireless networks out there, and any malicious individual with even minimal technical competence would have no trouble accessing information that should be kept confidential," Spano said. "It would be nice if these businesses took the necessary steps on their own to ensure their networks were kept secure, but the sad fact is that many don't."

All computers connected to the Internet and other networks are potentially vulnerable, but wireless networks are especially troublesome because a hacker can easily grab data traveling through the air.

Experts warned that the law would not fully protect anyone from dedicated hackers but acknowledged it could raise awareness of the vulnerabilities inherent in wireless technology.

Bruce Schneier, chief technical officer of Counterpane Internet Security Inc., said laws like Westchester's are probably helpful "because the information companies have on their networks is more valuable to you than it is to them and the law gives them an incentive" to protect it.

"But it's not going to stop identity theft," he added.

Spano said businesses will also find that "this is an easy way to avoid that public relations disaster that comes when companies find out their customers' information has been stolen."

The law requires each business to install a firewall or change the default SSID, the name that identifies a wireless network, if the personal information stored has not already been encrypted. Penalties would range from a warning on first offense to a $500 fine on third offense.

Norman Jacknis, the county's chief information officer, said that when the law was being considered officials detected 248 wireless networks during a 20-minute drive through downtown White Plains. Nearly half had no visible security.

Some of the unprotected networks were at cafes, hotels or other establishments that offer wireless hot spots to patrons. Other networks, like those at Starbucks, were protected.

The signs that are to go up at such places will say, "For your own protection and privacy, you are advised to install a firewall or other computer security measure when accessing the Internet."

Jacknis said easily available firewalls would protect credit card transactions, for example, from being detected by a hacker posted outside a dry cleaner that uses a wireless network.

At most, he said, installing firewall protection -- or just turning on the encryption and other security measures available -- would take an hour of a consultant's time.

The law takes effect in six months.

Featured

  • World Map Image

    Microsoft Taps Nebius in $17B AI Infrastructure Deal To Alleviate Cloud Strain

    Microsoft has signed a five-year, $17.4 billion agreement with Amsterdam-based Nebius Group to expand its AI computing capabilities through third-party GPU infrastructure.

  • Microsoft Brings Copilot AI Into Viva Engage

    Microsoft 365 Copilot in Viva Engage is now generally available, extending Copilot's AI-powered assistant capabilities deeper into the Viva platform.

  • MIT Finds Only 1 in 20 AI Investments Translate into ROI

    Despite pouring billions into generative AI technologies, 95 percent of businesses have yet to see any measurable return on investment.

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.