A recently published New York State Division of Tax Appeals Administrative Law Judge (āALJā) determination, Matter of SecureWorks, Inc., DTA Nos. 828328 & 828329 (N.Y. Div. Tax App. ALJ Div. Jan. 14, 2021) (āSecureWorksā) concluded that New York sales tax applies to certain online security services when such services are provided with respect to devices located in New York.
The ALJ concluded that most of the IT security services provided by the taxpayer, SecureWorks, Inc., were subject to New York sales tax as āprotective and detective servicesā under N.Y. Tax Law Ā§ 1105(c)(8).Ā The taxable IT services generally included SecureWorksā performance of: 1) IT security āmanagementā services, where it made changes to a customerās device or software to help the customer keep the device or software operating properly; and 2) IT security āmonitoringā services, where SecureWorks reviewed the events that a device or software produced and then advised customers when they should investigate an event further.
In addition, the ALJ concluded that certain ancillary SecureWorks offerings were not āprotective and detective services,ā but were taxable as āinformation servicesā under N.Y. Tax Law Ā§ 1105(c)(1): 1) a service where SecureWorks compiled and reviewed security-related news from the Internet, added knowledge from its researchers, and disseminated its findings in reports to customers; and 2) a service where SecureWorks alerted customers about potential security threats by compiling public mentions of a customerās brand or other keywords on the Internet and providing reports to the customer.Ā The ALJ also reasoned that the latter service did not qualify for New Yorkās āpersonal or individual in natureā exception from taxable information services, even though the reports were tailored for each particular customer, because ā[c]ustomization of publicly available information into a report does not render it personal or individual in natureā (citing Wegmans Food Markets, Inc. v. Tax Appeals Tribunal, 33 N.Y.3d 587 (2019)).
The ALJ concluded that only one SecureWorks service was nontaxable: a ālog retention serviceā where SecureWorks collected and stored events created by different devices across a customerās network to ensure the network operated properly.Ā The ALJ reasoned that the service was not a taxable āprotective and detective serviceā because the taxpayer merely āensur[es] the proper operation of a device so that it retains all of the events created on a network.āĀ The ALJ also reasoned that the service was not a taxable āinformation serviceā because the taxpayer āmerely reports the events in the customer portal without any additional intelligence.ā
The ALJās determination (while not precedential) upholds the Department of Taxation and Financeās prior interpretation of New Yorkās āprotective and detective servicesā provision as extending to online security services performed for IT assets located in New York.Ā N.Y. Depāt of Tax. and Fin., TSB-A-15(47)S (Nov. 18, 2015).Ā However, importantly, the determination does not address any arguments regarding the legislative intent of the protective and detective services provision.Ā Tax Law section 1105(c)(8) was enacted (in its current form as relevant to this analysis) in 1990 and was modeled after an identical New York City sales tax provision that was originally enacted in 1975, at a time when web-based security services did not exist.Ā Indeed, it is a paramount rule of statutory construction that in ascertaining statutory intent, consideration must be given to the time period when the statute was enacted. Ā Perrin v. U.S., 444 U.S. 37, 42 (1979).Ā Ā There is no indication that the legislature intended (in 1975 or 1990) for this provision to encompass online security services.Ā Since there was no discussion regarding this legislative intent in the determination, it will be interesting to see whether the Tax Appeals Tribunal (if the case is appealed) or another ALJ would reach a different result if such context were considered.
Contact the Authors: Maria Eberle, Lindsay LaCava and Dmitrii Gabrielov
