In November, a man in Canada was arrested for downloading child pornography onto his laptop. The catch is that he was using someone else's wireless access point to access the illegal material. While the owner of that access point was never charged with a crime, the incident highlights a new concern about Wi-Fi security: If someone accesses your company's wireless network without permission, are you liable for what the intruder does?
SearchNetworking.com talked to Internet security law specialist Stephen S. Wu, CEO of the Mountain View, Calif.-based InfoSec Law Group PC, to find some answers.
How likely is it that a company could face criminal charges because of what an intruder does over its Wi-Fi network?
Stephen S. Wu: Criminal liability is hard to prove. There has to be some kind of intent to hold your systems open for someone else to get at them. If there is an arrangement where, for example, a corporate insider allows communication to take place with a wireless access point for the purpose of allowing a confederate in to access information, then that person could be criminally charged.
What about civil penalties?
Wu: That is much more likely. Negligence is the most likely [offense]. If you are a business and you are not securing your own systems, and private information is taken from you due to your failure to protect data, then a customer whose information was stolen could make the argument that the business' whole system was not secure, and that violates the law.
I always ask [CIOs] and other officers of small companies just who will be harmed if intellectual property is stolen through a wireless access point, because shareholders could bring a claim for breach of contract.
Are there new regulations that businesses should be aware of that pertain to this issue?
Wu: Sure. If a business is in California and holds the information of California residents, and it allows its systems to be invaded by someone who takes information, like names, driver's license information, credit card numbers or social security numbers, that company has an obligation under the law to tell those people whose information was compromised that they may be the target of identity theft. Vertical industries are subject to regulations, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in health care, or the Gramm-Leach-Bliley Financial Modernization Act of 1999, in the financial services industry.
What level of security does a company need to implement to be legally safe?
Wu: It needs to perform due diligence to determine the degree of the threat that they face. A small mom-and-pop company would not face the same degree of threat as [a large health insurance firm]. Also, it should take care of the low-hanging fruit [by] implementing wireless encryption and some kind of access control. A mom-and-pop operation may stop at that. If a small company were sued for a security breach but had installed Wired Equivalent Privacy (WEP) on its network, if it got up in front of a jury and said, 'We did all we could do; the technology is faulty and nothing better was available to us at the time,' it would probably get off under those circumstances. On the other hand, if you're a [Fortune 500] company, you not only need to have whatever encryption system is the best to protect against likely threats, but it also should include intrusion-detection systems as well.
Are there a lot of these kinds of information security lawsuits?
Wu: No, I don't see any of them right now.
Are we likely to see more of those lawsuits?
Wu: As we complete the transition to an information-centric society, we will see more information security cases. But there has to be money in these cases. If a mom-and-pop operation injures a single user and, as a result, some files involving his love life are exposed, there would be little money in it. We might see more cases where a business allows customer information to be exposed over its network, and a business claims statutory damages or attorney fees to bring the case. These kinds of cases are inevitable. It is just matter of time.
In that context, is it a bad idea to deploy wireless networks?
Wu: If you have military secrets or something that [is] highly sensitive, then you don't want a wireless access point on the network -- things like the secret formula for Coca-Cola, where the stakes are so high that you don't want to take the risk. But with that judgment comes a trade-off. You don't get the convenience of walking around with a laptop accessing files and printing. You have to balance the security versus the lost opportunity in not having a Wi-Fi network.