A recently published New York State Division of Tax Appeals Administrative Law Judge (“ALJ”) determination, Matter of SecureWorks, Inc., DTA Nos. 828328 & 828329 (N.Y. Div. Tax App. ALJ Div. Jan. 14, 2021) (“SecureWorks”) concluded that New York sales tax applies to certain online security services when such services are provided with respect to devices located in New York.
The ALJ concluded that most of the IT security services provided by the taxpayer, SecureWorks, Inc., were subject to New York sales tax as “protective and detective services” under N.Y. Tax Law § 1105(c)(8). The taxable IT services generally included SecureWorks’ performance of: 1) IT security “management” services, where it made changes to a customer’s device or software to help the customer keep the device or software operating properly; and 2) IT security “monitoring” services, where SecureWorks reviewed the events that a device or software produced and then advised customers when they should investigate an event further.
In addition, the ALJ concluded that certain ancillary SecureWorks offerings were not “protective and detective services,” but were taxable as “information services” under N.Y. Tax Law § 1105(c)(1): 1) a service where SecureWorks compiled and reviewed security-related news from the Internet, added knowledge from its researchers, and disseminated its findings in reports to customers; and 2) a service where SecureWorks alerted customers about potential security threats by compiling public mentions of a customer’s brand or other keywords on the Internet and providing reports to the customer. The ALJ also reasoned that the latter service did not qualify for New York’s “personal or individual in nature” exception from taxable information services, even though the reports were tailored for each particular customer, because “[c]ustomization of publicly available information into a report does not render it personal or individual in nature” (citing Wegmans Food Markets, Inc. v. Tax Appeals Tribunal, 33 N.Y.3d 587 (2019)).
The ALJ concluded that only one SecureWorks service was nontaxable: a “log retention service” where SecureWorks collected and stored events created by different devices across a customer’s network to ensure the network operated properly. The ALJ reasoned that the service was not a taxable “protective and detective service” because the taxpayer merely “ensur[es] the proper operation of a device so that it retains all of the events created on a network.” The ALJ also reasoned that the service was not a taxable “information service” because the taxpayer “merely reports the events in the customer portal without any additional intelligence.”
The ALJ’s determination (while not precedential) upholds the Department of Taxation and Finance’s prior interpretation of New York’s “protective and detective services” provision as extending to online security services performed for IT assets located in New York. N.Y. Dep’t of Tax. and Fin., TSB-A-15(47)S (Nov. 18, 2015). However, importantly, the determination does not address any arguments regarding the legislative intent of the protective and detective services provision. Tax Law section 1105(c)(8) was enacted (in its current form as relevant to this analysis) in 1990 and was modeled after an identical New York City sales tax provision that was originally enacted in 1975, at a time when web-based security services did not exist. Indeed, it is a paramount rule of statutory construction that in ascertaining statutory intent, consideration must be given to the time period when the statute was enacted. Perrin v. U.S., 444 U.S. 37, 42 (1979). There is no indication that the legislature intended (in 1975 or 1990) for this provision to encompass online security services. Since there was no discussion regarding this legislative intent in the determination, it will be interesting to see whether the Tax Appeals Tribunal (if the case is appealed) or another ALJ would reach a different result if such context were considered.