Article by Sarah Benowich
In addition to the Covid-19 pandemic’s devastating human toll, it has also ushered in a dramatic increase in cybercrime and cyberattacks. For example, the FBI has reported as much as a 400% increase in the number of reported cyberattacks since before the pandemic. And, Microsoft has reported that pandemic-related attacks, including phishing, have increased by tens of thousands per day. Individuals, nations, and large corporations have all been victims of these incidents – and law firms are not immune. Protecting clients from these cyberattacks is not only a critical responsibility for a law firm’s confidentiality and security obligations, but can also be a tool to engage and build trust with clients in a relatively cost- and time-efficient manner pursuant to the Uniform Domain Resolution Policy (“UDRP”). The UDRP has existed since well before the pandemic, but its procedures may have additional benefits now as a low cost and quick method to obtain cancelation or transfer of abusive domain names.
The UDRP establishes an arbitration-style legal framework akin to an arbitration to resolve disputes by a domain name registrant against a third party which has engaged in abusive registration and use of Internet domain names in generic top-level domains (“gTLDs”, common examples include .com; .biz; .net) while preserving both parties’ ability to go to court. Developed based on the World Intellectual Property Organization’s (“WIPO”) Internet Domain Name Process report presented in August 1999 in Santiago, Chile, the UDRP is ultimately intended to be a quick and cost-effective mechanism for domain name registrants and trademark owners to protect their rights.
Corporate Counsel has even called the UDRP the “preferred” method for trademark owners to enforce their rights at least in part because in contrast with litigation, a UDRP complaint can be resolved within 45 days and as little as $750 in costs making it a relatively quick and cost-effective mechanism for domain name registrants and trademark owners to protect their rights. The Complainant typically bears the responsibility to pay all fees with the administrative proceeding, and the UDRP does not authorize any fees for the recovering party. Each administrative body, including WIPO, publishes their current fees, which can vary based on the number of domain names and panelists.
One benefit of pursuing a UDRP claim is that the complainant still retains the right to go to court. One possible drawback is that there are no monetary damages in UDRP proceedings, and an arbiter may only order cancellation or transfer of the abusive domain name. However, these two avenues are still important remedies, which can at least staunch any ongoing domain name dispute.
For law firms, filing UDRP proceedings for clients is a natural complement to trademark or cybersecurity practices. Additionally, as law firms themselves continue to be targets of phishing, cybersquatting, and other cyberattacks which may try to obtain confidential client data or lure clients to provide payment, law firms can file UDRPs on their own behalf which can help not only protect a firm’s trademark rights, but also build trust after a client may have experienced such an attack.
A Complainant’s Burden of Proof
Those who file complaints are referred to as “Complainants” and can pursue their claim through various approved Internet Corporation for Assigned Names and Numbers (“ICANN”) dispute resolution providers, with WIPO being the most prominent.
Any individual or corporate entity globally can file a domain name complaint using UDRP but must satisfy three key elements:
- the domain name registered by the domain name registrant is identical or confusingly similar to a trademark or service mark in which the complainant (the person or entity bringing the complaint) has either statutory or common law rights;
- the domain name registrant has no rights or legitimate interests in respect of the domain name in question; and
- the domain name has been registered and is being used in bad faith.
Pearl Cohen recently and successfully initiated UDRP proceedings after a third party had registered and used the domain name <pearl-cohen.com>, which is nearly identical to Pearl Cohen’s trademark and associated domain name <pearlcohen.com>, solely to try and extort payment and information from particular clients. Like many other cyberattacks, these occurred over the summer and fall, and were consistent and sophisticated in their ability to mimic the Firm’s domain name, graphics, and communications with the client. Here, there was clear evidence supporting all three elements and a sole panelist issued a strong opinion transferring the abusive domain name to Pearl Cohen.
The Basic Procedure and Timing of a UDRP Proceeding
A UDRP procedure has five basic phases, which occur over approximately 45 days. The speedy nature of these proceedings is important not only in staunching any ongoing cyberattack but also in bolstering trust and communication with clients, who have an additional opportunity to see the firm work quickly, collaboratively, and efficaciously in response to the client’s needs.
First, like in a traditional litigation, the process begins when a complainant files its complaint, and the dispute resolution provider ensures that it conforms with the basic requirements. WIPO, one of the major dispute resolution providers, even provides a template complaint. (Day 1.)
Second, the Respondent will have the opportunity to respond to the complaint. Respondents will frequently default, which constitutes further evidence of bad faith. There are several procedural and substantive grounds which may render the complaint improper. Some of the primary defenses include: (a) the use or intent to use the domain name in connection with a bona fide offering of goods or services; (b) the respondent has been commonly known by the domain name, even if the Respondent has acquired no trademark or service mark rights; or (c) the Respondent is making a legitimate noncommercial or fair use of the domain name, without intent for commercial gain to misleadingly divert consumers or to tarnish the trademark or service mark at issue. (Day 4-25.)
Third, the dispute resolution provider will appoint an administrative panel of one or three persons who will decide the dispute. (Day 28.) Of course, three-member panels are more costly, but may be necessary depending on the complexity of the case.
Fourth, after the panel is convened, it must issue a prompt decision. There are only three possible outcomes of a UDRP proceeding, but there are no monetary awards. The administrative panel can transfer the disputed domain name to the Complainant, which gives the complainant control over the domain name and deprives the abusive registrant of its ability to use that domain name for bad faith efforts. Or, the administrative panel can cancel the disputed domain name, entirely rendering the disputed domain name out of service. The panel may also entirely deny any relief if it lacks authority or the complaint was brought in bad faith. (Day 42-45.)
Finally, the domain name registrar will implement the administrative panel’s decision after waiting 10 days to give the adversely affected registrant an opportunity to file a complaint in a court of mutual jurisdiction. (Day 55.)
Using the UDRP as a Way to Combat Cyberattacks and Build Client Relationships
The UDRP’s speedy and inexpensive mechanism provides an alternative to traditional litigation and can be another way to build and restore client trust. Cyberattacks are serious breaches of security and trust. Filing a UDRP complaint may enable a law firm to demonstrate it is highly responsive and protective of client information and working to ensure a positive client experience, while also enforcing its own trademark rights without expending significant time or money.