The New York State sales tax on “protective and detective services” has been given an expansive reading by the New York State Tax Appeals Tribunal in a decision involving information technology (“IT”) security services. In In re Secureworks, Inc., DTA Nos. 828328 and 828329 (N.Y. Tax App. Trib. Feb. 17, 2022), the Tribunal upheld the imposition of sales tax on the furnishing of IT security services that enabled customers to prevent, detect, respond to, and predict cyberattacks, holding that it constituted a taxable “protective service.”
Facts: Secureworks, Inc. (“Secureworks”) is an Atlanta-based IT security services provider. It furnishes customers with “monitoring” services, which involve reviewing thousands of “events” produced by a computer or related device, including software, and advising those customers when further investigation or customer attention is necessary. Secureworks sometimes provides customers with an additional “management” service, which involves making changes to the device or software to ensure that cyber threats are adequately prevented. Among the specific activities it performs are the monitoring and managing of computer firewalls, and network intrusion detection and prevention services that protect customer servers, laptops, and desktops.
At issue was whether these monitoring and managing security services constituted “protective and detective services” subject to sales tax under Tax Law § 1105(c)(8).
Ruling: The Tribunal upheld the imposition of sales tax on the IT security services, concluding that the statutory term “protective services”—i.e., ‘alarm or protective systems of every nature, including . . . protection against burglary, theft . . . or any other malfunction of or damage to property’”—“plainly encompasse[d]” IT security services. Id. at 20. While Secureworks did not itself take overt action to block attempted cyberattacks, the Tribunal nonetheless concluded that by monitoring and configuring customer networks, devices, and software, it was protecting and guarding the customer against cyber threats, which it viewed as a taxable protective service similar to that provided by an “alarm company.”
Observations: The Tribunal decision is in line with Tax Department administrative pronouncements subjecting to sales tax the furnishing of anti-virus and anti-spyware protection (TSB-A-10(14)S, Apr. 8, 2010), or any service that prevents unauthorized access to a customer’s IT assets (TSB-A-15(47)S, Nov. 18, 2015). However, it seems a stretch to view cybersecurity services as “plainly” constituting “protective services” under the statute, which historically applied to such services as alarm company burglary monitoring and security guard services. The New York courts have consistently held that tax imposition statutes, such as Tax Law § 1105(c)(8), must be interpreted narrowly against the taxing authority, something that the Tribunal acknowledged but dismissed based on the reference in the statute to “all services provided by or through alarm . . . systems of every nature” (emphasis added). Id. The question of statutory interpretation will undoubtedly be addressed if the decision is appealed to the New York courts.
The Tax Department also could attempt to use Secureworks as support for its controversial position that cloud-based credit card “fraud management services” offered to retail merchants also constitute a taxable protective service (TSB-A-15(16)(S), May 7, 2015).