Last October, Westchester County in New York State enacted a municipal law that requires businesses to secure their wireless networks. Those that fail to do so are subject to a US$250 fine on the second violation (the first brings only a warning) and a US$500 fine on the third infraction.
The county law also requires the operators of public Wi-Fi hotspots to post notices warning wireless users about security risks and advising them to take security precautions when using hotspots.
In California, meanwhile, a new law signed last fall will require wireless LAN equipment intended for home and small business use to come with warnings about security starting on October 1 of this year.
There are no such laws in Canada yet – although when anything is required in a market the size of California, vendors will most likely find it easiest just to do it everywhere. Andrew Neuman, senior assistant to the county executive in Westchester County, says a number of other jurisdictions have contacted county staff to learn more about its experience, indicating interest in introducing similar legislation of their own, but he doesn’t recall hearing from any Canadian lawmakers.
The day could be coming, though – and even if securing wireless networks isn’t made a legal requirement, businesses that don’t do so could find themselves publicly embarrassed and quite possibly hauled into court for endangering the security of their customers’ personal information.
While there are no laws like Westchester County’s in Canada today, says lawyer Michael Whitt, a Calgary-based partner at Borden Ladner Gervais and a member of the national law firm’s information technology steering committee, organizations that suffer security breaches that are found to be attributable to networks being poorly secured could face several kinds of liability.
Aside from losing customers’ trust if news of such breaches gets out, he says, companies could be publicly named and shamed by a federal or provincial privacy commissioner.
While privacy commissioners can’t directly impose penalties for poor security, Whitt says, they can make findings that are considered cause for legal action by injured parties. That means that if your company’s poor security leads to my personal data being revealed and the privacy commissioner finds that your company was negligent, then when I sue you I only have to prove I suffered from your negligence – the privacy commissioner’s finding is sufficient proof of the negligence itself.
And being sued for revealing personal data is increasingly likely. “We’re starting to see class-action lawsuits started … on behalf of the data subjects whose data was leaked,” Whitt says. “That trend should frighten the businesses, or should make them aware that their obligation may have some downside if they don’t comply.”
“It would be the same as any sort of negligence that could be attributed to them by the way they’ve configured their environment and exposed customer information,” says Jan Wolynski, a director in the advisory services practice of PricewaterhouseCoopers LLP and a former police officer with a background in cyber-security. “So it would fall into the same area as any security programs that they have in place. They’d be just as liable for negligence there.”
Neuman says Westchester County’s law was enacted because insecure wireless networks were widespread in the county. Last year, he says, county staff conducted a “war drive” – the popular term for searching for unsecured wireless networks – in the business district of White Plains, where the county offices are located. “Within 15 minutes,” he says, “we had seen 250 wireless networks and half of them were unsecured.”
Since enacting the law, Neuman says, county officials have issued a number of warnings but so far no fines. Business response to the law has been positive, he maintains, and the county is working with its local Chamber of Commerce and business journal to promote wireless security.
Businesses certainly should be concerned about securing their wireless networks, Wolynski says. They should implement the security provisions built into the 802.11 wireless standards at a bare minimum, and in most cases should add stronger data encryption on top of those.
Businesses also need to monitor their premises constantly to ensure employees are not putting unauthorized wireless access points in place, says Wolynski.
That’s practically a full-time job at Concordia University in Montreal. “We are continually going around and disconnecting wireless access points that have been plugged in by people,” says Andrew McAusland, the university’s associate vice-president of instructional and information technology services.
Wireless security has improved, Whitt says, and securing wireless networks today is practical enough that there is no excuse for not doing it right. “The effort isn’t huge or expensive,” he says.
And if anything, Whitt says, the legal risks associated with not securing wireless networks will only increase. Privacy laws are still maturing and certain obligations will probably be broadened, he predicts, and there are moves in progress to require more disclosure of security breaches. Canadian businesses that haven’t thoroughly locked down their wireless networks shouldn’t wait for stricter legislation before doing so.