This article was first published in the World Trademark Review magazine on 5 August 2021.
In May 2021, a fraudster was jailed for four years after he was found faking covid-19 text messages purporting to be from the NHS, banks and other commercial organisations. As part of the scam, he set up bogus websites impersonating the ‘gov.uk’ domain, requesting victims’ personal financial information to verify their identity and entitlement to receive the vaccine.
Unfortunately, this illustrates a situation that is all too common in today’s digital world.
As domain names continue to grow in importance, they draw the attention of those that seek to take unfair advantage of these valuable assets.
According to the Cyber Security Breaches Survey 2021, phishing remains the most common threat experienced by businesses and charities in the United Kingdom. Nevertheless, because domain names are often overlooked as part of many security solutions, they are often targeted by cyber criminals who use them to carry out phishing attacks.
Now more than ever, there is a need for legal departments to become more involved in the security of their company’s domain portfolio.
The concept of ‘domain management from a legal perspective’ puts legal teams at the heart of a company’s domain management strategy. It is also an approach that seeks to strengthen a brand’s legal position online by adopting a range of preventative and reactive measures.
Legal teams understand the inherent risk that come with managing a company’s valuable intellectual property. In fact, the key elements of managing a trademark portfolio are somewhat similar to those of managing a domain portfolio. As a result, legal teams are in the best position to establish a registration and enforcement strategy.
One of the problems in an expansive domain space is how to tackle growing numbers of infringements. Companies cannot be expected to register every possible variation of their brand across numerous domain extensions. Legal teams, therefore, need to collaborate with wider business groups such as marketing and IT to create the best registration strategy.
The first step is to determine which domain names should fall into the company’s portfolio. At a minimum, a good portfolio should include the following:
Once a company has identified which domain names require protection, the legal team need to create clear internal guidelines on how they should be registered, who they should be registered to and what should be done if the domain is already registered to a third party.
In most cases, a defensive strategy will be less expensive and more efficient than an aggressive enforcement approach.
Pre-emptive measures would include the use of the following:
Still, it will be virtually impossible for a company to act on every case of abuse; the ones that try end up playing an infinite game of whack a mole.
As part of a company’s enforcement strategy, legal teams will need to establish a criteria or priority system to determine which domains to recover and the appropriate methods to do so.
For example, the UDRP continues to be an efficient and inexpensive method of enforcement. It also applies to most ccTLDs, which either adopt or provide an alternative mechanism built on the principles found in the UDRP. When a domain falls into one of the protection categories set out above, legal teams should be sure to take swift action.
If a domain does not form part of a company’s portfolio plan or defensive registration strategy, a company may still want to act to stop the abuse. But how can legal teams avoid a situation in which domain recovery leads to an inflated domain portfolio?
In a previous article, we discussed the importance of domain and website takedowns as an effective solution to online threats. In addition, the URS is another mechanism employed by legal teams to address the worst cases of abuse across new gTLDs, but without the burden of maintaining a list of obscure variations of the company’s brand name. But that is not to say that inactive domains cannot still form part of an effective enforcement strategy.
One of the most effective tools in tackling online infringement is education. Legal teams should use recovered domains to educate consumers, distributors and affiliates through the use of landing pages. A recovered domain could provide guidance to victims of fraud, trusted sources of information or even act as a deterrent for other would-be infringers. Domain names used in this way can have a far wider impact on the fight against cybercrime than simply redirecting them to the brands’ official website. Legal teams will need to periodically review the domain portfolio and decide the appropriate time to phase out and drop domains once they have fulfilled their purpose.
Legal teams also need to be vigilant to the ever-changing domain landscape and ensure they are up to date with specific registration policies. For example, Australia (‘.au’) and Canada (‘.ca’) have eligibility rules that require domain applicants to have a local presence or some other connection to that jurisdiction. If the domain owner fails to maintain that presence throughout the term of its registration, it is no longer eligible to hold that domain. In a jurisdiction where an infringer has used their local presence to secure a domain, legal teams may prefer to monitor the situation and report breaches of registry policies rather than going through the time and expense of legal action.
In conclusion, domain names serve many different purposes; they can help enhance marketing efforts or increase brand identity. Nevertheless, their inherent strengths should not overshadow the weaknesses that come from having a poor domain management strategy.
When a company looks at domain management through the lens of a knowledgeable and proactive legal team, it will be in a better position to mitigate and resolve instances of brand abuse.
Head of Legal