Are certain cybersecurity services that MSSP provide to their customers subject to a state's sales tax law? Apparently in New York state they are, at least until existing state tax law is updated to reflect cloud-based security services.
In a case that MSSPs are certain to watch closely, a New York state administrative law judge (ALJ) determined that cloud-based security provider Secureworks, a Top 250 MSSP, must pay sales tax on some cybersecurity services it provides when the customer’s network and devices are located in the state, according to a blog post by Baker McKenzie, a state and local tax law firm.
The ALJ reportedly determined that most of the cybersecurity services provided by the Atlanta, Georgia-based Secureworks--including managed securing services and network monitoring, which encompasses much of the value MSSPs provide to their customers--could be subject to New York sales tax as “protective and detective services” under existing state tax law.
Secureworks, whose parent is Dell Technologies, claims some 4,000 customers in 50 countries. It is unclear how many of their clients are based in New York state. Chatter that Dell has placed the MSSP on the sales block has been floating around for more than a year, with Atos thought to be the latest potential buyer.
MSSP Security Service Taxes: New York Ruling
According to the blog post, the ALJ concluded that some Secureworks services, such as research and analysis presented to customers and alerts regarding cybersecurity threats, did not qualify for New York state’s tax exception because they are not “personal or individual in nature,” despite the fact that the reports were customized for each customer.
The only Secureworks offering that wasn’t taxable under New York state tax law was a “log retention service” to secure a customer’s network, such as keeping track of security events, because its purpose is to ensure all devices on the network operate as they should. In addition, the ALJ concluded that the service isn’t taxable because it’s composed of reports without analysis.
Obviously, the ALJ’s ruling has the potential to reverberate across hundreds of MSSPs providing cybersecurity services in New York state inasmuch as it affects their core deliverables. But there is more to it. The ALJ’s conclusion does not address the clear need to modernize the tax law in question, the blog’s authors wrote.
“The determination does not address any arguments regarding the legislative intent of the protective and detective services provision,” the blog said. While the tax law in question was enacted in 1990 it was modeled on an “identical” New York City sales tax measure that dates to 1975 when online security services did not exist, the bloggers said. Notwithstanding the ALJ's decision, the case is likely to face an appeal. “There is no indication that the legislature intended (in 1975 or 1990) for this provision to encompass online security services,” the blog reads. “Since there was no discussion regarding this legislative intent in the determination, it will be interesting to see whether the Tax Appeals Tribunal (if the case is appealed) or another ALJ would reach a different result if such context were considered.”