A measure was introduced earlier this week in Westchester County, outside of New York City, that would require retail stores operating commercial Wi-Fi networks to take "basic security precautions" to protect customer information from potential data thieves and hackers
"A customer's credit card number, social security number, bank account information is vulnerable if a business that collects that information hasn’t taken the proper steps to protect it,” said Westchester County executive Andy Spano, a proponent of the measure.
Under the proposal, which could go into effect early next year, businesses would have 180 days to comply. First time offenders will get a warning, with a $250 fine for second, and $500 for third.
All commercial businesses that use wireless networks and maintain personal customer information would need to secure networks that protect the public from potential identity theft and other potential threats such as computer viruses and data corruption. Businesses offering public wireless access, such as an Internet caf, would need to post a sign stating the network has been secured with firewall protection and file a note of compliance with the county.
There are less than a dozen Internet cafes in Westchester County, but that number is growing, officials said. New cafes from Atlanta Bread Co. to Starbucks Corp. have opened with Wi-Fi access in cities, such as White Plains. There are 30,000 businesses in Westchester.
The county is asking businesses to secure customer data by installing a firewall and make certain access points are closed. Spano and county CIO Norman Jacknis said they found about 180 hot spots in a war drive around White Plains. They said about half were insecure.
But tightly closing a wireless network requires strong authentication and encryption. "There are ways to breach almost any wireless network," said Michael Overly, Partner in the eBusiness and information technology group at Foley & Lardner LLC. "I drove down the street the other day with my laptop, flipped on the WiFi card and it showed me five or six networks including my own."
The networks Overly saw require a password to gain access, so to an extent they are locked down. The question is how strong a password authentication do they need?
The technology is continually changing and businesses need to keep informed. "We're not trying to limit the use of technology by businesses," Jacknis said. "These businesses just need to use caution and take steps to secure customer data because if they don't it's like leaving the door to your house open."