The Internet Big Bang:
Implications for Financial
Services Brand Owners
www.steptoe.com
Tony Onorato, Alexis Hunter
September 12, 2013
Who We Are & What We Do
Tony Onorato and Alexis Hunter are long-time commercial
litigators with extensive experience as gTLD practitioners
We advised clients representing nearly 10% of all gTLD
applications filed worldwide in 2012
Industry-leading clients in the financial services, insurance,
software and media, entertainment, Internet, and fashion sectors,
on all aspects of gTLD policy development, technical aspects of
registry operation, and business planning
2 www.steptoe.com
I. Overview of ICANN & New gTLD Program
II. Program Implications for Financial Sector Companies
III. Key Considerations as Financial Sector Brand Owners
A. Brand Protection
B. Enforcement
C. Risk Mitigation
3 www.steptoe.com
Today’s Learning Event
5
What is ICANN?
ICANN is a global multi-stakeholder
organization that collaborates with
companies, individuals, and
governments to oversee
development and implementation of
Internet policy and standards for
technical operations
Promotes competition and a secure,
stable and interoperable Internet
www.steptoe.com
Domain Name Hierarchy
6
Top-Level Domain: label to the right-most of the dot
Second-Level Domain: label to the left of the dot acquired through a
registrar
Third-Level-Domains: may be used to direct traffic to an even more
specific location on the Internet; usually used to refer to a specific
server in an organization
www.steptoe.com
Domain Name Registration Actors
Registry – in charge of
database of domains
ending with a particular
top-level domain
Registrar – sells rights to
use particular second-level
domains
Registrant – purchases
right to use second-level
domain for a designated
period of time
7 www.steptoe.com
23 gTLDs in operation
There are also 250 ccTLDs for
geo locales (.jp, .co, .uk, .me, .us)
In 2005, ICANN commenced policy
formulation on large-scale top-level
expansion
Past Expansion & the Origins of the
New gTLD Program
8 www.steptoe.com
New gTLD Program In a Nutshell
1,930 applications submitted; approx. 1,800 remain
Application Fee = $185,000 per
Virtually any gTLD could be applied for:
– Generics: .INC, .ART, .BOOK, .WTF, .SEXY, .PIZZA
– Brands: .GOOGLE, .WALMART, .NETFLIX, .NBA
– Geographics: .NYC, .LONDON
– Communities: .ECO
– Internationalized Domain Names (IDNs) in non-Latin scripts such as
Arabic, Cyrillic, and Lao:
• 點看 (Chinese “dot com”); بازار (Arabic “bazaar”)
1,400 or so new gTLDs could be delegated by 2015
9 www.steptoe.com
The GAC Attacks: GAC Advice
The GAC provides government advice to ICANN on issues of
public policy
In April, the GAC recommended one set of Safeguards for all
new gTLDs
And one for “market sectors which have clear and/or regulated
entry requirements”
such as the financial sector,
broadly including banks,
lenders, investment houses,
insurers, etc.
14 www.steptoe.com
What Is the GAC Concerned About?
15
Consumer Protection,
Sensitive Strings, and
Regulated Markets
“These strings are likely to
invoke a level of implied trust
from consumers, and carry
higher levels of risk associated
with consumer harm.”
www.steptoe.com
Safeguards Adopted for All TLDs
16
1. WHOIS Verification and Checks
• Registry operators punish
2. Mitigating Abusive Activities
3. Security Assessments and Reporting
• “Actual risk of harm …”
4. Documentation of WHOIS Checks, Security Threats &
Actions Taken
5. Making and Handling Complaints
6. Consequences
• “Real and immediate …”
www.steptoe.com
Non-exhaustive List of Financial TLDs Targeted for
GAC “Enhanced Safeguards”
17
.capital .financial .loans .trading
.cash .financialaid .market .autoinsurance
.broker .forex .markets .bank
.brokers .fund .money .banque
.claims .investments .pay .carinsurance
.exchange .lease .retirement .credit
.finance .loan .save .creditcard
.mutuelle .netbank .reit .tax
.creditunion .insurance .insure .ira
.lifeinsurance .mortgage .mutualfunds .versicherung
.vermogensberatung .vermogensberater
Open / Restricted Open / Closed
www.steptoe.com
Proposed Enhanced Safeguards
If adopted by ICANN in their present form:
– ES1: Include in its acceptable use policies requirement that registrants
comply with all applicable laws, including, e.g., those related to privacy,
data collection, consumer protection (including in relation to misleading and
deceptive conduct), fair lending, debt collection, and data and financial
disclosures
– ES2: Require registrars, at the time of registration to notify
registrants of ES1
Data breach lead to loss of domain?
Operator responsible for its registrants?
18 www.steptoe.com
ES3: Registry operators will require that registrants who collect and
maintain sensitive health and financial data implement reasonable
and appropriate security measures commensurate with the offering
of those services, as defined by applicable law and recognized
industry standards
– “Reasonable and appropriate security measures”?
– “Recognized industry standards”?
ES4: Establish a working relationship with the relevant regulatory,
or industry self-regulatory, bodies, including developing a strategy to
mitigate as much as possible the risks of fraudulent, and other
illegal activities
– Unresponsive regulatory bodies?
– Who determines for, e.g., .BROKER?
19
Proposed Enhanced Safeguards
www.steptoe.com
ES5: Registrants must be required by the registry operators to
notify to them a single point of contact which must be kept
up‐to‐date, for the notification of complaints or reports of
registration abuse, as well as the contact details of the relevant
regulatory, or industry self‐regulatory, bodies in their main place
of business
─ Relevant bodies?
─ Regulatory bodies receive complaints?
20
Proposed Enhanced Safeguards
www.steptoe.com
ES6: At the time of registration, the registry operator must verify
and validate the registrants’ authorisations, charters, licenses
and/or other related credentials for participation in that sector
– Change nature of open TLDs?
ES7: In case of doubt with regard to the authenticity of licenses
or credentials, Registry Operators should consult with relevant
national supervisory authorities, or their equivalents
– Potentially discriminatory?
21
Proposed Enhanced Safeguards
www.steptoe.com
ES8: The registry operator must conduct periodic post-
registration checks to ensure registrants’ validity and compliance
with the above requirements in order to ensure they continue to
conform to appropriate regulations and licensing requirements
and generally conduct their activities in the interests of the
consumers they serve
– Potentially discriminatory?
22
Proposed Enhanced Safeguards
www.steptoe.com
ICANN put on HOLD on the Financial Sector (and other) TLDs
The NGPC met on Tuesday and decided . . .
Hope for the best, plan for the worst . . .
23
Status of the Enhanced Safeguards
www.steptoe.com
Ramifications of the Safeguards
So, what do the Safeguards mean for REGISTRIES?
– Tighter rules on security
and Whois data checks
– Additional oversight, cost,
and investigative
responsibilities
– More hands on approach for registries to police their TLDs and
enforce their acceptable use policies to ensure compliance with
applicable laws
– Increased exposure?
24 www.steptoe.com
And, if you want [yourfirm].FUND or [yourfirm].INVESTMENT or
[yourfirm].INSURE, what do the Safeguards mean for
REGISTRANTS?
– Greater record keeping and data disclosure obligations
– New or enhanced security measures to safeguard consumers’
information
– Additional oversight responsibilities
– Adherence to multijurisdictional laws
– Proactive protection of domain assets
25
Ramifications of the Safeguards
www.steptoe.com
The Internet Can Be a Dangerous Place
38% of fraud cases are due to email and 12% are due to
websites – in other words, the Internet is used to enable
HALF of all fraud each year (FTC Consumer Sentinel Network
2012 Report)
The increase in domains will provide a wealth of options for
miscreants
Over half of the new TLD applications are generics
– Minimum controls
– Maximum competition
27 www.steptoe.com
The Internet Can Be a Dangerous Place
28
Abusive
domains
increased by
25% from Dec.
2012-May 2013
Even though the
rate at which
they are being
removed is
increasing, it
cannot keep up
with the rate of
abuse NameSentry Report 2013, Architelos Inc.
www.steptoe.com
Key Considerations For Brand Owners
As brand owners, you need to consider how you will respond to
the coming mass expansion
– Trademark Clearinghouse now
– Strategize offensive/defensive registration
– Prepare to combat – and budget for – enforcement
• Registration fees
• TMCH fees
• Policing and remediating domain name abuse
– Security risk mitigation, especially in open TLDs
29 www.steptoe.com
The Trademark Clearinghouse
Repository of verified rights information – a database for
verified trademarks
(1 ) Sunrise and (2) Claims Service
– Pre-public access
– Notification of attempts to register domains matching your marks
– Not intended to “block” domain name registrations
– Does not alert to registrations incorporating confusingly similar marks
(3) TM+50: claims notices for up to 50 labels
30 www.steptoe.com
Proactive Brand Protection
Assess global trademark portfolio to determine potential marks to
be submitted to the TMCH
– Organize potential submissions into priority tiers:
• Importance in the marketplace
• Geographic reach
• Likelihood of infringement
• Potential impact of infringement
• Longevity of mark (i.e., marks that may be phased out in the near future or
that are due to be divested may be a lower priority)
31 www.steptoe.com
Proactive Brand Protection
Assess potential registries for participation in Sunrises and
Landrush
– Determine potential TLDs for registration:
• Industry relevance
• Geographic terms
• IDNs
• Future product offerings
• Likelihood of and impact of infringement in particular TLDs
Audit existing domain portfolio – clean out the attic
32 www.steptoe.com
Enforcement
Post-
Launch
Uniform
Domain
Dispute
Resolution
Procedure
(“UDRP”)
Independent administrative proceeding to
resolve disputes over alleged abusive domain
name registrations / alternative to court for
pursuing cases of cybersquatting
Uniform
Rapid
Suspension
System
(“URS”)
Intended to provide rapid relief to trademark
holders for the most clear-cut cases of
infringement
Post-
Delegation
Dispute
Resolution
Procedure
(“PDDRP”)
For trademark holders to address any large-
scale infringement concerns directly at the
registry level where the registry profits from bad
faith registrations / failure to live up to
contractual promises to ICANN/safeguards
33 www.steptoe.com
Enforcement
There is nothing (yet) to stop the endless permutations of
*[yourfirm]*.TLD that could be registered and used for malicious
purposes
Enforcing against this abuse is a MUST for brand and reputation
protection, especially in sensitive sectors
Failure to be vigilant could harm your customers, attract
regulatory scrutiny, and mean a failure to comply with your
domain’s Terms of Use
Budget for UDRP/URS proceedings
Budget for abuse monitoring, including in IDNs
34 www.steptoe.com
Internet-Based Threats to
Financial Sector Entities
Altering DNS information is a common objective of a registration
account compromise
Unauthorized access to domain registration from compromised
account identities and authentication credentials
Unsecure email from registrars, ICANN, TMCH, vendors,
registries, etc.
Is web access to a
registration account
necessary to you?
35 www.steptoe.com
Protect account credentials
Domain name registrations are an asset and should be included
in business processes such as asset management and risk
management programs
Maintain documentation to prove registration
Domain Name points of contact considerations
Monitor for Whois and DNS change activity
Monitor domain code status
Monitor FS-ISAC
36
Risk Mitigation
www.steptoe.com
Monitor open TLDs – contact the registries and pursue
complaints including using the PDDRPs
Look for registrars that aggressively monitor and respond to
registrar impersonation attacks
Make sure there is an abuse point of contact and know when
they are available
Customer communication – prepare your customers to
understand that if a communication does not come from certain
domains, it’s NOT FROM YOU
Compliance with Safeguards and applicable, multi-jurisdictional
laws – audit
37
Risk Mitigation
www.steptoe.com
How to Contact Us
38
Tony Onorato
(212) 506-3933
Follow me for gTLD updates
@TonyOnorato
Alexis Hunter
(212) 506-3934
Internet, New gTLD & Domain Name Services
http://www.steptoe.com/practices-319.html
Thank you for joining us.
www.steptoe.com