Westchester County, New York, has recently enacted a new law that requires local businesses to implement “minimum security measures” for protecting their wireless networks.
The law, believed to be the first of its kind in the US, applies to all commercial businesses that collect customer information, such as social security numbers, credit card or bank account information, and that also have a wireless network. Also covered by the law are businesses that offer public internet access.
The mandate was introduced as a measure to protect consumers against identity theft and other types of computer fraud, according to a statement posted on the county’s website. “We know there are many unsecured wireless networks out there, and any malicious individual with even minimal technical competence would have no trouble accessing information that should be kept confidential,” says county executive Andy Spano.
When the law was proposed last year, a team from the county’s IT department drove through downtown White Plains using a laptop equipped with easily available software to detect 248 wireless hot spots, out of which 120 lacked any visible security.
“It would be nice if these businesses took the necessary steps on their own to ensure their networks were kept secure, but the sad fact is that many don’t. That’s why we’re taking it one step further and making it a law,” Spano says.
Businesses that collect, store and use personal information have 180 days to comply with the law, which requires them to implement measures such as installing a network firewall, changing the systems SSID or network name and disabling SSID broadcasting. All of this can be “achieved with minimal effort and little or no additional cost to the system operator,” the statement says.
In addition, internet cafes and other organisations that offer free wireless access need to prominently post signs advising customers to implement security measures on their systems when accessing the internet.
Those who fail to comply will receive a warning giving the offender 30 days to remedy the situation.
A second violation will result in a US$250 fine (NZ$394). Further violations will result in a US$500 fine. The law does not apply to home users.
While the intention of the law appears to be good, enforcing it will be a big challenge, says Pete Lindstrom, an analyst at Spire Security.
“At a basic level, I applaud the level of interest that a local government is applying to the challenges associated with cyberthreats,” Lindstrom says. “But whether or not this is something that can be enforced in a reasonable way” remains to be seen, he says.
One problem, for instance, is locating an open access point and identifying who it belongs to, says Andrew Jacquith, an analyst at Yankee Group Research in Boston.
“So you walk down Main Street and find 200 open access points, but how do you know who the culprits are?” he says. “And are you going to arrest the coffee shop owner for not having secure wi-fi connections?” he says.
“I think it’s a good thing that they are considering wireless ID theft issues,” Jacquith says. But, instead of legislation that is likely to be unenforceable, it would have been more effective to do a publicity campaign warning consumers of wireless threats.
“I think outreach campaigns and education that is designed to get people to do the right thing is probably preferable to legislation,” he says.