May 01, 2020

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut

Cybersecurity

D.C. Enacts Security Breach Protection Amendment

By Tim Wolfe, University of Washington School of Law

On March 26, the District of Columbia enacted the Security Breach Protection Amendment Act of 2020, increasing consumer data protection measures. The Act amends Title 28 of the District of Columbia Official Code by:

  • expanding the definition of “personal information” to include any unique identification number issued on a government document, medical and genetic information, biometric data, data that facilitates access to an individual’s email account, etc.;
  • detailing the notification requirements in the event of a data breach, including notifying the Office of the Attorney General for the District of Columbia if the breach affects 50 or more District residents;
  • specifying security requirements for the protection of personal information;
  • requiring 18 months of identity theft protection services be made available to individuals whose social security or taxpayer identification number has been compromised at no cost; and
  • stating that a violation of the notification requirements is an unfair and deceptive trade practice.

The Act takes effect following a 30-day period of congressional review and publication in the District of Columbia Register.

Supreme Court Will Resolve Circuit Split on Federal Anti-Hacking Law

By Keith R. Fisher

Recently the U.S. Supreme Court granted certiorari in Van Buren v. United States, which will have significant implications for employers protecting sensitive data and information. The case presents the question whether a provision of the federal anti-hacking statute, the Computer Fraud and Abuse Act of 1986, which criminalizes intentionally “access[ing] a computer without authorization or exceed[ing] authorized access,” also prohibits one who is authorized to access information on a computer for one purpose from accessing it for an unauthorized purpose.

A decision on this issue will resolve a classic split in the circuits. The First, Fifth, Seventh, and Eleventh Circuits have broadly interpreted 18 U.S.C. § 1030(a)(2) as applying to any person who exceeds his authorized computer access and obtains information for an improper purpose; the Second, Fourth, and Ninth Circuits, have interpreted the language more narrowly to cover only cases where individuals access information that they had no right to access for any purpose.

Among other things, the case will clarify whether employers may seek redress for employees’ misuse of workplace computers.

Internet Law

Online Software Subscriptions Subject to MA Sales Tax

By Tim Wolfe, University of Washington School of Law

On February 5, 2020, the Massachusetts Supreme Judicial Court upheld a $3.2 million tax assessment against Citrix Systems, Inc. for its sales of subscriptions to GoToMeeting, GoToAssist, and GoToMyPC to Massachusetts residents. CITRIX SYSTEMS, INC. v. Commissioner of Revenue, No. SJC-12741 (Mass. Feb. 5, 2019). This is the first time a state’s highest court ruled on the taxability of cloud computing, finding the sales constituted “taxable transfers of prewritten software” consistent with the meaning of a 2005 amendment to the Massachusetts Tax Code.

The court rejected Citrix’s contention that the sales did not involve a taxable “transfer” of software, relying heavily on the inclusion of “transfers of rights to use software installed on a remote server” in 830 Code. Mass. Regs. § 64H.1.3(3)(a) (emphasis added). The court also rejected Citrix’s contention that the “sales of the online products constitute sales of services and not of tangible personal property,” finding the “true object” of the subscriptions were to access and use online products, not the underlying services that support those products.

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.