Sponsorship

A.8021 - BENEDETTO, PHEFFER, GABRYSZAK, LAVINE, KOON, GORDON D, LAFAYETTE, FIELDS, COOK, BOYLAND, brennan, destito, diaz l, dinowitz, gottfried, gunther, maisel, millman, nolan, perry, robinson, weisenberg, young

Memorandum in Support

BILL NUMBER: A8021C

TITLE OF BILL : An act to amend the general business law, in relation to network security

Purpose Or General Idea Of Bill:

The purpose of this bill is to protect the privacy of residential and business wireless computer network users by requiring manufacturers of devices that contain wireless network access points to integrate privacy protections into their products.

Summary Of Specific Provisions:

This bill would require manufacturers of devices containing wireless access points, such as wireless computer network routers or wireless access bridges, sold as new for use in an office, or residential setting to provide protection prior to allowing use of the device, that is enabled without an affirmative act by the consumer, to protect the consumer`s wireless network from unauthorized access e.g. a built-in firewall), or incorporate a mechanism into the product or packaging the purpose of which is to advise the consumer on how to protect his or her wireless network connection from unauthorized access, including:

* attaching a temporary warning sticker to the device that must be removed to allow use of the product;

* including a security warning in the device`s installation or configuration software; or

* providing other protection on the device that advises the consumer on how to protect his or her wireless network connection from unauthorized access and requires an affirmative action by the consumer prior to allowing use of the product.

The bill`s requirements would apply to products that are manufactured on or after October 1, 2009.

The bill would also require for-profit installers of devices that include a wireless access point that is for use in an office or residential setting to advise the consumer that his or her wireless network connection may be accessible by an unauthorized user and provide the consumer with information on how to protect his or her wireless network connection from unauthorized access.

Justification:

With the increasing use of low power, unlicensed wireless technology in residences and offices, consumers are unknowingly allowing their personal information on their office or residential networks to be accessed by unauthorized users who piggyback onto their network connection.

Piggybacking occurs when an unauthorized user connects its client device to a wireless local area network (WLAN) access point or router in order to utilize the office or residential network`s broadband access connection to reach the Internet. The practice is becoming a serious issue for people who reside in densely populated areas or live in apartment buildings where wireless transmission waves can travel easily through walls, floors, and ceilings.

Consumers are generally unaware when an unauthorized user is using their broadband network connection, as most are not sufficiently aware to determine if someone has tapped into their network. Enabled

security avoids this problem by preventing all but the most determined attempts to tap into a consumer`s network.

In 2003, it was estimated that there were 3.9 million households with wireless access to the Internet. Currently, there are about 7.5 million households with wireless access, and that number is expected to rise to 16.2 million households by the end of the year.

In December 2005, the National Cyber Security Alliance (NCSA) found that, "more than one out of four homes had a wireless network (26%) and nearly half of these homes (47%) failed to encrypt their connection, a safety precaution needed to protect wireless networks from outside intruders."

There is disagreement as to whether it is legal for someone to use another person`s WiFi connection to browse the Internet if the owner of the WiFi connection has not put a password on it. While Article 156 of the Penal Law prohibits the unauthorized access to computers, computer systems, and computer data, authorized use is determined by the specific circumstances of the access. There are also federal laws, including the Computer Fraud and Abuse Act (18 U.S.C. Sec. 1030 et seq.), that prohibit the intentional access to a computer without authorization.

Prior Legislative History:

2007: A.8021-A - Advanced to Assembly Third Reading Calendar

Fiscal Implications For State And Local Governments:

None.

Effective Date:

October 1, 2009.