N.Y. county throws cold water on hot spots

Westchester County, N.Y., has enacted what may be the first law in the nation requiring Internet cafes and other similar commercial entities to secure their wireless networks to prevent identity theft and other computer fraud.

The law, which goes into effect 180 days from today, requires commercial businesses that store, use or maintain personal information electronically – such as a retail store that uses a wireless network to process credit card transactions – to take minimum security measures. County officials said the measures could be as simple as installing a network firewall, changing the system’s default service set identifier (SSID), or disabling SSID broadcasting with minimal effort and little to no additional cost.

“We know there are many unsecured wireless networks out there, and any malicious individual with even minimal technical competence would have no trouble accessing information that should be kept confidential,” Westchester County Executive Andy Spano, who signed the bill into law today, said in a prepared statement. The county Board of Legislators approved the bill April 10.

“It would be nice if these businesses took the necessary steps on their own to ensure their networks were kept secure, but the sad fact is that many don’t,” he added. “That’s why we’re taking it one step further and making it a law.”

The law does not apply to residents who use wireless networks in their homes.

The county Department of Consumer Protection’s Division of Weights and Measures will enforce the law. A first-time violator will receive a warning and 30 days to correct the situation. For a second violation, the business will receive a $250 fine. Further violations will result in $500 fines. The county also produced a brochure and Web site to educate consumers about identity theft.

Spano introduced legislation last fall after a team from the county’s information technology department found 248 wireless hot spots in less than a half-hour in White Plains using a laptop computer. Of the 248, 120 hot spots lacked any visible security and many kept the standard default name of the product, indicating it was a potential target for hackers.

In a related move, the county Department of Public Safety established the state’s first Digital Crime and Investigation Unit, a two-man team dedicated to searching the Internet for criminals involved in identity theft, fraud, pedophilia and cyber bullying.