County requires wireless security.

If what is happening in Westchester County, N.Y., is any indicator, commercial businesses that offer public Internet access and/or maintain personal information on a wireless network may be faced with another security concern. The county has passed what is believed to be the first law requiring

County Executive Andy Spano signed the bill into law in April, mandating "minimum security measures" be taken by all commercial businesses that collect personal customer information, such as social security numbers, credit card or bank account information, and also have a wireless network. In addition, businesses that offer public Internet access must also "conspicuously post a sign" advising customers to "install a firewall or other computer security measure when accessing the Internet."

"We know there are many unsecured wireless networks out there, and any malicious individual with even minimal technical competence would have no trouble accessing information that should be kept confidential," Spano says. "It would be nice if these businesses took the necessary steps on their own to ensure their networks were kept secure, but the sad fact is that many don't. That's why we're taking it one step further and making it a law."

"Internet cafes are a part of an increasingly mobile marketplace and this will help create a safer environment for people conducting their personal business on the go," says Legislator Clinton I. Young Jr., whose committee reviewed the new law. "Businesses will also begin to realize how vulnerable their networks can be if not secured and go one step further in protecting their customers."

When the law was being proposed last fall, a team from the Department of Information Technology showed how easy it was to find vulnerable networks by taking a drive through downtown White Plains. Using a laptop computer equipped with easily available software, they came across 248 wireless hotspots in less than half an hour. Out of those, 120 lacked any visible security at all. Many users failed to even provide a name for their network and instead were using the standard name used as a default in the product. This clearly marked them as a potential target to hackers.

"While we stopped short of hacking into anyone's private network, others might not be as considerate," Spano says. "Someone sitting in a car across the street or in a nearby building could invade any of these networks and steal unprotected confidential information."

Security measures mandated by the law can be as simple as installing a network firewall, changing the system's default SSID (network name) or disabling SSID broadcasting. A retail establishment, for example, that uses a wireless network to process credit card transactions could install a firewall.

A first violation of the law will result in a warning, giving the offender 30 days to remedy the situation. A second violation will result in a $250 fine and any further violations will mean a $500 fine. Are you listening Starbucks?