WiFi Security: Westchester County In New York Doesn't Get It

Originally I wrote: What makes financial institutions special? I ask because some public WiFi providers in at least one N.Y. county must encrypt communications. But locals banks aren't necessarily subject to that law. Westchester County passed a law that requires local businesses to install at least some basic security measures on any wireless-enabled network where customers' credit card numbers or other financial information is stored. Maybe somebody in that county's government will see the need to expand the law to include financial institutions. See my previous blog post for some eye-opening information about related insecurities.

However, I did find the Westchester County law online and I was wrong -- it does not require that certain business encrypt communications. Instead, it merely requires that "all commercial businesses in Westchester County who offer public Internet access and/or maintain personal information and use a wireless network" implement "minimum security measures," which include using a network firewall, changing the default SSID of the access points, or disabling the broadcast of SSIDs.

So the county is enforcing the use of network firewall basically. That's a start, but it's probably useless because if affected businesses do collect personal information and move that info over an unencrypted link then gaining access to that information is incredibly easy and as you know a firewall isn't going to prevent that. The law won't do much good.

A better law would require encrypted communications and the law should probably be applied to any business that transmits private information over the Internet.