Friday, December 7, 2012

Florida Introduces Affiliate Nexus Legislation

For the sixth year in a row, Florida legislators introduced a bill that (like many states before it) would create a rebuttable presumption that any out-of-state Internet retailer or mail order seller which enters into an agreement with a Florida resident (an “affiliate”) for paid referrals is subject to the State’s sales and use tax.  Referrals which subject out-of-state sellers to Florida tax are broadly defined and can be via “a link on an Internet website, an in-person oral presentation, telemarketing, or otherwise.”  Out-of-state sellers who have cumulative gross receipts of $10,000 or less from the referrals would not be subject to Florida tax.  As in several other states, the bill would allow sellers to rebut the presumption that they are subject to tax by submitting evidence that the affiliates “did not engage in any activity within [Florida] which was significantly associated with the dealer’s ability to establish or maintain the dealer’s market…during the 12 months immediately before the rebuttable presumption arose.”

As we have written previously, in response to a challenge by to a similar law enacted in 2008 in New York, a New York State appeals court held that the law was not unconstitutional on its face because it allows a retailer to rebut the presumption of solicitation.  The court remanded the case to the lower court to determine whether the law violated the Constitution’s Commerce and Due Process Clauses as applied to  In the meantime, as similar affiliate nexus laws have been passed in a handful of other states, many retailers have terminated their affiliate relationships.  Also, last spring, in a case argued by George Isaacson and Matt Schaefer of Brann & Isaacson, an Illinois court found that Illinois’ affiliate nexus law, which does not allow an affected retailer to rebut the statute’s conclusive determination that having affiliates in the state creates nexus, violates the Commerce Clause as well as the Internet Tax Freedom Act.

Tuesday, December 4, 2012

Data Breaches: Some Lessons

Some of our readers may have read about recent high profile data breaches, such as the one involving credit card information taken from many Barnes & Noble retail stores. Or they may have heard of the huge class action law suits against Sony which resulted from its handling of a 2011 incident involving hackers into the Sony Playstation network. In that case, the hackers accessed personal information including names, addresses, user names, passwords, and other personal information from about 77 million user accounts. And they may have read about the breach involving TD Bank, in which TD Bank misplaced in March 2012 computer back-up tapes containing personal information for 267,000 customers, but did not inform the affected customers and pertinent state authorities until seven months later, in October. Each of these instances brings to light some apparent misconceptions regarding the handling of data breaches.  

Myth 1: There is no law that requires action in the event of a data breach.

Fact 1: There is no federal law (aside from laws regarding specialized industries such as banking and health care) that requires a response. However, 46 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands require certain actions be taken in the event of a data breach regarding personal information, and each of these laws is different.

Myth 2: My company only needs to comply with the data breach laws of the states in which my company has an office or other physical presence.

Fact 2: A company is subject to the data breach laws of not only the states in which it has a physical presence but also the states in which it has customers.

Myth 3: I need only look at one state’s laws if there has been a data breach.