The legislation is aimed at raising public awareness to get commercial businesses to better protect the personal information of their customers and to advise people who use the Internet in public access areas of the risks involved with Wi-Fi. We anticipate that members of the business community, many of whom are entirely unaware of this problem, will do the right thing and take the necessary precautions to protect their databases.
A series of recent reports in the news has shown an increase in the rise of drive-by hacking, where thieves singled out stores with strong wireless signals and weakly protected data. Using a laptop computer outfitted with an off-the-shelf wireless card, the thieves were able to pick up signals around the store and use them to gain access to its computer systems.
According to a July 26, 2005, article in The New York Times headlined "Main Street in the Cross Hairs," for more than a month hackers "robbed" the same shops again and again of premium credit card account numbers stored in their databases. Another Times article, dated Oct. 5, 2005, "The Hills Are Alive With the Sound of Your Data," discusses how simple it is, in instances where minor security precautions aren't implemented, for someone using a portable computer to hop on to your home network or peer into your laptop at a public Wi-Fi hotspot.
Such instances are not isolated. Studies have shown that approximately one-third of businesses with wireless networks are open to abuse from hackers and criminals in the street. Accordingly, I introduced legislation that would require commercial businesses that have both personal data and wireless networks to take minimal steps to protect that data from those who might otherwise gain access to their networks.
The intent of this law is largely to educate the public that though wireless networking is a great convenience, like all technology, it requires intelligent use. Although many businesses have already taken simple and inexpensive steps to protect their data, a significant fraction has not.
We recognize that the law's current definition of minimum security as a "firewall" has been ambiguously drafted. The definition will be modified to address the concerns raised.
In the meantime, we encourage you to visit Westchester County's Web site and read the legislation for yourself to better understand its purpose, what it intends to do and whom it covers.