• United States

New York county enacts wireless security law

Apr 21, 20063 mins
Cellular NetworksComputers and PeripheralsLegal

New York country requires businesses to secure WLANs.

Westchester County, N.Y., this week enacted a new law that requires local businesses to implement “minimum security measures” for protecting their wireless networks.

The law, which is believed to be the first of its kind anywhere in the country, applies to all commercial businesses that collect customer information, such as Social Security numbers, credit card or bank account information, and that also have a wireless network. Also covered by the law are businesses that offer public Internet access.

The mandate was introduced as a measure to protect consumers against identity theft and other types of computer fraud, according to a statement posted on the county’s Web site. “We know there are many unsecured wireless networks out there, and any malicious individual with even minimal technical competence would have no trouble accessing information that should be kept confidential,” County Executive Andy Spano said in the statement.

When the law was proposed last fall, a team from the county’s IT department drove through downtown White Plains using a laptop equipped with easily available software to detect 248 wireless hot spots, out of which 120 lacked any visible security.

“It would be nice if these businesses took the necessary steps on their own to ensure their networks were kept secure, but the sad fact is that many don’t. That’s why we’re taking it one step further and making it a law,” Spano said.

Businesses that collect, store and use personal information have 180 days to comply with the law, which requires them to implement measures such as installing a network firewall, changing the systems SSID or network name and disabling SSID broadcasting. All of this can be “achieved with minimal effort and little or no additional cost to the system operator,” the statement said.

In addition, Internet cafes and other organizations that offer free wireless access need to prominently post signs advising customers to implement security measures on their systems when accessing the Internet.

Those who fail to comply will receive a warning giving the offender 30 days to remedy the situation. A second violation will result in a $250 fine. Further violations will result in a $500 fine. The law does not apply to home users.

While the intention of the law appears to be good, enforcing it will be a big challenge, said Pete Lindstrom, an analyst at Spire Security.

“At a basic level, I applaud the level of interest that a local government is applying to the challenges associated with cyberthreats,” Lindstrom said. “But whether or not this is something that can be enforced in a reasonable way” remains to be seen, he said.

One problem, for instance, is locating an open access point and identifying who it belongs to, said Andrew Jacquith, an analyst at Yankee Group Research.

“So you walk down Main Street and find 200 open access points, but how do you know who the culprits are?” he said. “And are you going to arrest the coffee shop owner for not having secure Wi-Fi connections?” he said.

“I think it’s a good thing that they are considering wireless ID theft issues,” Jacquith said. But instead of legislation that is likely to be unenforceable, it would have been more effective to do a publicity campaign warning consumers of wireless threats, he said.

“I think outreach campaigns and education that is designed to get people to do the right thing is probably more preferable to legislation,” he said.