Saturday, April 22, 2006


Law signed by Spano is first of its kind in the U.S.

A groundbreaking proposal requiring local businesses to secure their wireless networks to protect their customers against identity theft and other computer fraud has just become law.

County Executive Andy Spano signed a bill into law today that mandates commercial businesses that offer public Internet access and/or maintain personal information on a wireless network to take “minimum security measures.” The Board of Legislators passed the bill unanimously on April 10.

The law, which appears to be the first of its kind in the U.S. (and perhaps the world), applies to all commercial businesses that collect personal customer information such as social security numbers, credit card or bank account information, and also have a wireless network. In addition, businesses that offer public Internet access must also “conspicuously post a sign” advising customers to “install a firewall or other computer security measure when accessing the Internet.”

“We know there are many unsecured wireless networks out there, and any malicious individual with even minimal technical competence would have no trouble accessing information that should be kept confidential,” Spano said. “It would be nice if these businesses took the necessary steps on their own to ensure their networks were kept secure, but the sad fact is that many don’t. That’s why we’re taking it one step further and making it a law.”

As part of the new law, the County has also published a new brochure and website ( to educate consumers about how to prevent identity theft. The brochure, which is also posted on the website and will be distributed to local business organizations, outlines five basic steps that even non-technical users can take to make a wireless network more secure.

“Internet cafes are a part of an increasingly mobile marketplace and this will help create a safer environment for people conducting their personal business on the go,” said Legislator Clinton I. Young, Jr., whose Committee on Legislation reviewed the new law. “Businesses will also begin to realize how vulnerable their networks can be if not secured and go one step further in protecting their customers.”

When the law was being proposed last fall, a team from the Department of Information Technology showed how easy it was to find vulnerable networks by taking a drive through downtown White Plains. Using a laptop computer equipped with easily available software, they came across 248 wireless hot spots in less than a half an hour. Out of those, 120, or almost half, lacked any visible security at all. Many users failed to even provide a name for their network and instead using the standard name used as a default in the product. This clearly marked them as a potential target to hackers.

“While we stopped short of hacking into anyone’s private network, others might not be as considerate,” Spano said. “Someone sitting in a car across the street or in a nearby building could invade any of these networks and steal unprotected confidential information.”

As the law reads, it affects “any commercial business that stores, utilizes or otherwise maintains personal information electronically” to take minimum security measures to “secure and prevent unauthorized (wireless) access to all such information.” Security measures can be as simple as installing a network firewall, changing the system’s default SSID (network name) or disabling SSID broadcasting – all of which can be achieved with minimal effort and little or no additional cost to the system operator.

For example, a retail establishment that uses a wireless network to process credit card transactions could install a firewall, one of the easiest and least expensive ways to guard a network from attack.

The law will be enforced by the Department of Consumer Protection’s Division of Weights and Measures. A first violation will result in a warning giving the offender 30 days to remedy the situation. A second violation will result in a $250 fine and any further violations will mean a $500 fine.

The law, which will go into effect 180 days after the signing, doesn’t apply to individual home users.

In a related effort, but taking another tack in combating computer crime, the Department of Public Safety recently created the state’s first accredited Digital Crime and Investigation Unit. Two investigators are now dedicated to searching the Internet for “techy criminals” involved in identity theft, fraud (phishing), pedophilia and cyberbullying. The unit will also recover digital evidence that can be used by prosecutors in seeking convictions.