CURRENT MONTH (April 2020)
Cybersecurity
D.C. Enacts Security Breach Protection Amendment
By Tim Wolfe, University of Washington School of Law
On March 26, the District of Columbia enacted the Security Breach Protection Amendment Act of 2020, increasing consumer data protection measures. The Act amends Title 28 of the District of Columbia Official Code by:
- expanding the definition of “personal information” to include any unique identification number issued on a government document, medical and genetic information, biometric data, data that facilitates access to an individual’s email account, etc.;
- detailing the notification requirements in the event of a data breach, including notifying the Office of the Attorney General for the District of Columbia if the breach affects 50 or more District residents;
- specifying security requirements for the protection of personal information;
- requiring 18 months of identity theft protection services be made available to individuals whose social security or taxpayer identification number has been compromised at no cost; and
- stating that a violation of the notification requirements is an unfair and deceptive trade practice.
The Act takes effect following a 30-day period of congressional review and publication in the District of Columbia Register.
Supreme Court Will Resolve Circuit Split on Federal Anti-Hacking Law
By Keith R. Fisher
Recently the U.S. Supreme Court granted certiorari in Van Buren v. United States, which will have significant implications for employers protecting sensitive data and information. The case presents the question whether a provision of the federal anti-hacking statute, the Computer Fraud and Abuse Act of 1986, which criminalizes intentionally “access[ing] a computer without authorization or exceed[ing] authorized access,” also prohibits one who is authorized to access information on a computer for one purpose from accessing it for an unauthorized purpose.
A decision on this issue will resolve a classic split in the circuits. The First, Fifth, Seventh, and Eleventh Circuits have broadly interpreted 18 U.S.C. § 1030(a)(2) as applying to any person who exceeds his authorized computer access and obtains information for an improper purpose; the Second, Fourth, and Ninth Circuits, have interpreted the language more narrowly to cover only cases where individuals access information that they had no right to access for any purpose.
Among other things, the case will clarify whether employers may seek redress for employees’ misuse of workplace computers.
Internet Law
Online Software Subscriptions Subject to MA Sales Tax
By Tim Wolfe, University of Washington School of Law
On February 5, 2020, the Massachusetts Supreme Judicial Court upheld a $3.2 million tax assessment against Citrix Systems, Inc. for its sales of subscriptions to GoToMeeting, GoToAssist, and GoToMyPC to Massachusetts residents. CITRIX SYSTEMS, INC. v. Commissioner of Revenue, No. SJC-12741 (Mass. Feb. 5, 2020). This is the first time a state’s highest court ruled on the taxability of cloud computing, finding the sales constituted “taxable transfers of prewritten software” consistent with the meaning of a 2005 amendment to the Massachusetts Tax Code.
The court rejected Citrix’s contention that the sales did not involve a taxable “transfer” of software, relying heavily on the inclusion of “transfers of rights to use software installed on a remote server” in 830 Code. Mass. Regs. § 64H.1.3(3)(a) (emphasis added). The court also rejected Citrix’s contention that the “sales of the online products constitute sales of services and not of tangible personal property,” finding the “true object” of the subscriptions were to access and use online products, not the underlying services that support those products.
