Westchester County NY Law Requires Some Businesses to Secure Their WiFi Networks
To avoid identity theft, businesses operating in Westchester County New York will soon need to turn on certain security settings for their WiFi networks if they are used to access financial information for their customers. The law stipulates that businesses must take "minimum security measures" that "include, but are not limited to: (a) installing a network firewall; (b) changing the system’s default SSID (network name); or (c) disabling SSID broadcasting." Other businesses operating open WiFi networks will be required to post signs to warn their customers about the perils of surfing unprotected networks. Penalties range from a warning on first offense to a $500 fine on third offense.
Dale's Comment 1: This is a terrific pioneering county law. Unfortunately, one issue that jumps out when reviewing the "minimum security measures" requirements of the law, is that it does NOT explicitly require businesses that use WiFi transmission technologies to encrypt such transmissions with basic WPA, or other secure, encryption technologies typically built into all modern routers/firewalls when, for example, laptops wirelessly transfer information within, to or from an otherwise secured network. (Note: WEP encryption is not secure) While the act’s non-exclusive definition of “minimal security measures” may impute this as an obligation, the definition (and therefore the act) doesn't make it crystal clear to county businesses that there is a legal obligation to use encryption technologies when wirelessly transmitting personal information. This, in my opinion, is a significant impediment to achiving the county’s otherwise laudable goal. So, while this act should, if followed, protect personal information stored within a wired network situated behind a firewall, from external hackers, it doesn'’t explicitly protect information transmitted wirelessly throughout that network or to/from external computers accessing the network while such information is being transmitted.
Dale's Comment 2: In an e-mail exchange with a country representative, it was pointed out that the county may not have the right to legislate in the area of over-the-air transmissions in light of the federal preemption doctrine. Whether or not the FCC regulations can pre-empt local legislation mandating encryption of personal information over a 300 foot WiFi transmission is an interesting, if unclear, point. If anyone reading this has an answer or thoughts in this regard, please e-mail me.
- FCC Rules Logan Airport Can't Restrict WiFi (November 6 , 2006)
- Schwarzenegger Signs Mandatory WiFi Equipment Warning Bill (October 3, 2006)
- Westchester County NY Law Requires Some Businesses to Secure Their WiFi Networks (April 21, 2006)