Welcome to the Nanny-Fi state!: Westchester County proposes a local law that requires "security" on all private businesses that employ wireless network and store personal information about customers. This could include a "firewall," which seems like an awfully generic term in this context. Public networks would also be covered and have to post a notice of compliance.
Firewalls don't solve Wi-Fi security and privacy issues for private or public networks. I suspect that this uninformed law is superceded by federal protections and authority, too.
The only sensible requirement--if I supported legislated information technology behavior--would be to require businesses to use 802.1X authentication with WPA (WPA Enterprise) and hotspots to use WPA Personal (WPA with a shared key).
There are already federal requirements for how banking, medical, and other information are handled by businesses that would be inclusive of the protections necessary.