N.Y. County Enacts Wireless Security Law
Westchester County on Thursday enacted a law that is designed to limit identity theft by forcing local businesses to install basic security measures for any wireless network that stores customers' credit card numbers or other financial information.
The law also requires that businesses offering Internet access -- coffeehouses and hotels, for example -- post signs warning that users should have firewalls or other security measures.
As he signed the bill, County Executive Andrew Spano said the county had been unable to find any law like it in the country and had received inquiries about the legislation from other states and from Great Britain, South Korea and the Czech Republic.
"There are many unsecured wireless networks out there, and any malicious individual with even minimal technical competence would have no trouble accessing information that should be kept confidential," Spano said. "It would be nice if these businesses took the necessary steps on their own to ensure their networks were kept secure, but the sad fact is that many don't."
All computers connected to the Internet and other networks are potentially vulnerable, but wireless networks are especially troublesome because a hacker can easily grab data traveling through the air.
Experts warned that the law would not fully protect anyone from dedicated hackers but acknowledged it could raise awareness of the vulnerabilities inherent in wireless technology.
Bruce Schneier, chief technical officer of Counterpane Internet Security Inc., said laws like Westchester's are probably helpful "because the information companies have on their networks is more valuable to you than it is to them and the law gives them an incentive" to protect it.
"But it's not going to stop identity theft," he added.
Spano said businesses will also find that "this is an easy way to avoid that public relations disaster that comes when companies find out their customers' information has been stolen."
The law requires each business to install a firewall or change the default SSID, the name that identifies a wireless network, if the personal information stored has not already been encrypted. Penalties would range from a warning on first offense to a $500 fine on third offense.
Norman Jacknis, the county's chief information officer, said that when the law was being considered officials detected 248 wireless networks during a 20-minute drive through downtown White Plains. Nearly half had no visible security.
Some of the unprotected networks were at cafes, hotels or other establishments that offer wireless hot spots to patrons. Other networks, like those at Starbucks, were protected.
The signs that are to go up at such places will say, "For your own protection and privacy, you are advised to install a firewall or other computer security measure when accessing the Internet."
Jacknis said easily available firewalls would protect credit card transactions, for example, from being detected by a hacker posted outside a dry cleaner that uses a wireless network.
At most, he said, installing firewall protection -- or just turning on the encryption and other security measures available -- would take an hour of a consultant's time.
The law takes effect in six months.