Thought leadership from our experts

Domain names: a valuable business asset but also a risk factor

Nathalie Dreyfus, French and European trademark attorney, renowned Expert consultant before the Court of Appeal of Paris, as well as before the WIPO Arbitration and Mediation Center and the National Arbitration Forum (NAF), emphasizes that domain names are an important asset for companies as well as a risk factor.

Why are domain names both a valuable business asset and a risk factor?

Over the years, domain name registrations constantly increases reaching a growth of 3,5% in 2018. Domain names are the gateway to business' websites so they are a valuable business asset for companies almost as important as its trademarks. Moreover, there is a steady increase of domain name in price sales and purchases market as companies are ready to invest into domain names related to their product name, brand name, and their business activities.

On the other side, domain names are an important risk factor for companies. According to a PriceWaterHouse report, intellectual property is one of the top three business risk factors, with domain names being one of intellectual property related risks. There are many risks related to domain names such as phishing campaigns, identity theft, and cybersquatting attacks that endangered companies' businesses. For example, Vinci Group fell victim of a cyberattack. Actually, a third party registered the domain name <vinci.group> and used it to send a fake press release to subscribers by a mass e-mail campaign. As a result, Vinci Group's share price has plummeted. Therefore, the existence of domain names that replicate a business' trademark can potentially lead to financial loss.

Furthermore, businesses that want to attract and retain customers should demonstrate that they are taking all the necessary security measures to protect their domain names. Indeed, twenty per cent of customers do not repurchase from a brand that was a victim of a cyberattack. Thus. Businesses should be able to act quickly to prevent infringements related to domain names in order to avoid the charge of negligence.

What are the impacts of cyberattacks on domain names?

Cyberattacks can have damaging consequences for businesses such as an important financial loss arising from theft of critical information. Cyberattacks have become quite common, and they are becoming more complex from a technical point of view.

Generally, cyberattacks aim to recover data or funds by using the company's domain name or email addresses attached to it. Cyberattacks can impact domain names in several ways. First of all, domain name wholesalers are on the constant lookout for public domain names available for sale. The purpose is to attract the company's customers, believing that they are going to a site owned by the company, and use this embezzlement for financial purposes.

In addition, scammers have been actively launching domain name homograph attacks that consist of using non-Latin letters and characters that resemble to Latin characters to replicate registered domain names. The difference between Latin and non-Latin characters is not visible on laptop and tablet, so users do not see the difference. The lookalike domains point to fake lookalike websites.

There is also the emergence of SSL certificate frauds. The green padlock icon aims to guarantee websites' security. However, the level of guarantee is compromised by low-level security SSL certificates that are available on the Internet for free.

Moreover, in France, the "RIO code" fraud has become an issue lately. The RIO code is a mobile phone operator's identity. It enables mobile phone users to switch between telecommunication providers. If a third party obtains the RIO code, it can access the data stored on a mobile phone. This type of fraud uses domain names infringing the rights of telecommunication brands.

There is also the emergence of phishing websites that are linked to social media network pages offering fake contests and sweepstakes.

Finally, the Mail eXchanger (MX) record associates a domain name with a mail server and allows sending out mass e-mail campaigns which creates the possibility of sending fake e-mail campaigns damaging business reputation.

All of the abovementioned cyberattacks can impact domain names and harm business' trademark and reputation.

How are domain name disputes settled?

Domain names disputes settled by court decisions is not a common thing. Most of the times, domain names disputes are settled through Alternative Dispute Resolution (ADR) procedures such as the UDRP. The UDRP service has been offered since the end of 1999. These procedures are used to solve domain name fraud related disputes. In particular, it takes into consideration the international aspect of these cases and the difficulties that arise in execution of court decisions. The UDRP allows brand owners to obtain domain name transfer for a small fee. There are also other centers that offer similar services but the two major ones are the WIPO and the NAF in the U.S. There is a European center in Prague and another center for the Asian region. The goal is to make the alternative dispute resolution tool available to Internet users.

How do you explain the surge in ADR cases?

This is due to the increasing value of domain names as well as the GDPR regulations. Indeed, the anonymization of the WHOIS creates a problem in terms of identification because the personal information of domain names' owner are no longer available. With the anonymization of the WHOIS database, the only information available are the country of residence of the domain name owner and an online form for more information requests.

For instance, it is now almost impossible to simply request to the domain name owner the transfer of the disputed domain name, nor answer the question whether or not a person or a company has rights on a domain name. This lack of information leads to a surge of UDRP disputes.

Moreover, regarding the consolidation of UDRP complaints, it is now difficult to prove that a registration application comes from the same person or company, which resolve in more URDP proceedings. There is also cases where we have to deal with a subsidiary that registered a domain name and is not liable because of this absence of data. In view of the growing importance of domain names, new systems must be designed such as procedures for lifting anonymity.

What are the compliance obligations regarding domain names?

Following the logic of the Vigilance law, NIS, Sapin 2, and the GDPR regulations, businesses are required to put in place risk mapping as well as a risk management plan. It is therefore necessary to include domain names in the compliance policy, and to create a risk map and a risk management strategy for domain names. The legislation indirectly applies to domain names without explicitly mentioning them. For example, if a domain name such as "email-wellknown trademark.com" along with mail servers associated with it, it represents a potential risk as it can be used for sending out fake mass mailing campaigns or for phishing. Thus, it becomes a legal obligation for companies to protect themselves. Many countries have adopted the legislation, including France and the U.S. (the Foreign Prevention Act).

How to protect a business from domain name related risks?

As a first step, it is necessary to map the risks related to domain names because once they are identified it is easier to take actions to prevent them. In order to do so, businesses have to classify the levels of risks depending on the company and its trademarks, and then develop as strategy in order to know which threats are more important to fight. For example, so-called parking websites and inactive websites targeting a well-known brand should be a priority for businesses whereas for others brand it may not be the priority. Companies should bear in mind that there is no such thing as "zero risk".

After having identified the risks related to domain names, businesses should put in place active domain names monitoring strategies. At Dreyfus, we have our own domain name monitoring system. For valuable business' trademarks, a 24/7 domain name monitoring is recommended in order to immediately detect suspicious domain names and to take action before it becomes an issue.

Finally, after having taken all the necessary security measures, it is important for businesses to be insured in order to get compensation in case of cyberattack. Over the years, cybersecurity insurance has developed and has become an indispensable tool in the management of internet based risk.