The Internet Big Bang:

Implications for Financial

Services Brand Owners

www.steptoe.com

Tony Onorato, Alexis Hunter

September 12, 2013

Who We Are & What We Do

Tony Onorato and Alexis Hunter are long-time commercial

litigators with extensive experience as gTLD practitioners

We advised clients representing nearly 10% of all gTLD

applications filed worldwide in 2012

Industry-leading clients in the financial services, insurance,

software and media, entertainment, Internet, and fashion sectors,

on all aspects of gTLD policy development, technical aspects of

registry operation, and business planning

2 www.steptoe.com

I. Overview of ICANN & New gTLD Program

II. Program Implications for Financial Sector Companies

III. Key Considerations as Financial Sector Brand Owners

A. Brand Protection

B. Enforcement

C. Risk Mitigation

3 www.steptoe.com

Today’s Learning Event

I. Overview of ICANN & New gTLD Program

4 www.steptoe.com

5

What is ICANN?

ICANN is a global multi-stakeholder

organization that collaborates with

companies, individuals, and

governments to oversee

development and implementation of

Internet policy and standards for

technical operations

Promotes competition and a secure,

stable and interoperable Internet

www.steptoe.com

Domain Name Hierarchy

6

Top-Level Domain: label to the right-most of the dot

Second-Level Domain: label to the left of the dot acquired through a

registrar

Third-Level-Domains: may be used to direct traffic to an even more

specific location on the Internet; usually used to refer to a specific

server in an organization

www.steptoe.com

Domain Name Registration Actors

Registry – in charge of

database of domains

ending with a particular

top-level domain

Registrar – sells rights to

use particular second-level

domains

Registrant – purchases

right to use second-level

domain for a designated

period of time

7 www.steptoe.com

23 gTLDs in operation

There are also 250 ccTLDs for

geo locales (.jp, .co, .uk, .me, .us)

In 2005, ICANN commenced policy

formulation on large-scale top-level

expansion

Past Expansion & the Origins of the

New gTLD Program

8 www.steptoe.com

New gTLD Program In a Nutshell

1,930 applications submitted; approx. 1,800 remain

Application Fee = $185,000 per

Virtually any gTLD could be applied for:

– Generics: .INC, .ART, .BOOK, .WTF, .SEXY, .PIZZA

– Brands: .GOOGLE, .WALMART, .NETFLIX, .NBA

– Geographics: .NYC, .LONDON

– Communities: .ECO

– Internationalized Domain Names (IDNs) in non-Latin scripts such as

Arabic, Cyrillic, and Lao:

• 點看 (Chinese “dot com”); بازار (Arabic “bazaar”)

1,400 or so new gTLDs could be delegated by 2015

9 www.steptoe.com

10 www.steptoe.com

11 www.steptoe.com

Financial Brand TLDs

12 www.steptoe.com

II. Program Implications for

Financial Sector Companies

13 www.steptoe.com

The GAC Attacks: GAC Advice

The GAC provides government advice to ICANN on issues of

public policy

In April, the GAC recommended one set of Safeguards for all

new gTLDs

And one for “market sectors which have clear and/or regulated

entry requirements”

such as the financial sector,

broadly including banks,

lenders, investment houses,

insurers, etc.

14 www.steptoe.com

What Is the GAC Concerned About?

15

Consumer Protection,

Sensitive Strings, and

Regulated Markets

“These strings are likely to

invoke a level of implied trust

from consumers, and carry

higher levels of risk associated

with consumer harm.”

www.steptoe.com

Safeguards Adopted for All TLDs

16

1. WHOIS Verification and Checks

• Registry operators punish

2. Mitigating Abusive Activities

3. Security Assessments and Reporting

• “Actual risk of harm …”

4. Documentation of WHOIS Checks, Security Threats &

Actions Taken

5. Making and Handling Complaints

6. Consequences

• “Real and immediate …”

www.steptoe.com

Non-exhaustive List of Financial TLDs Targeted for

GAC “Enhanced Safeguards”

17

.capital .financial .loans .trading

.cash .financialaid .market .autoinsurance

.broker .forex .markets .bank

.brokers .fund .money .banque

.claims .investments .pay .carinsurance

.exchange .lease .retirement .credit

.finance .loan .save .creditcard

.mutuelle .netbank .reit .tax

.creditunion .insurance .insure .ira

.lifeinsurance .mortgage .mutualfunds .versicherung

.vermogensberatung .vermogensberater

Open / Restricted Open / Closed

www.steptoe.com

Proposed Enhanced Safeguards

If adopted by ICANN in their present form:

– ES1: Include in its acceptable use policies requirement that registrants

comply with all applicable laws, including, e.g., those related to privacy,

data collection, consumer protection (including in relation to misleading and

deceptive conduct), fair lending, debt collection, and data and financial

disclosures

– ES2: Require registrars, at the time of registration to notify

registrants of ES1

Data breach lead to loss of domain?

Operator responsible for its registrants?

18 www.steptoe.com

ES3: Registry operators will require that registrants who collect and

maintain sensitive health and financial data implement reasonable

and appropriate security measures commensurate with the offering

of those services, as defined by applicable law and recognized

industry standards

– “Reasonable and appropriate security measures”?

– “Recognized industry standards”?

ES4: Establish a working relationship with the relevant regulatory,

or industry self-regulatory, bodies, including developing a strategy to

mitigate as much as possible the risks of fraudulent, and other

illegal activities

– Unresponsive regulatory bodies?

– Who determines for, e.g., .BROKER?

19

Proposed Enhanced Safeguards

www.steptoe.com

ES5: Registrants must be required by the registry operators to

notify to them a single point of contact which must be kept

up‐to‐date, for the notification of complaints or reports of

registration abuse, as well as the contact details of the relevant

regulatory, or industry self‐regulatory, bodies in their main place

of business

─ Relevant bodies?

─ Regulatory bodies receive complaints?

20

Proposed Enhanced Safeguards

www.steptoe.com

ES6: At the time of registration, the registry operator must verify

and validate the registrants’ authorisations, charters, licenses

and/or other related credentials for participation in that sector

– Change nature of open TLDs?

ES7: In case of doubt with regard to the authenticity of licenses

or credentials, Registry Operators should consult with relevant

national supervisory authorities, or their equivalents

– Potentially discriminatory?

21

Proposed Enhanced Safeguards

www.steptoe.com

ES8: The registry operator must conduct periodic post-

registration checks to ensure registrants’ validity and compliance

with the above requirements in order to ensure they continue to

conform to appropriate regulations and licensing requirements

and generally conduct their activities in the interests of the

consumers they serve

– Potentially discriminatory?

22

Proposed Enhanced Safeguards

www.steptoe.com

ICANN put on HOLD on the Financial Sector (and other) TLDs

The NGPC met on Tuesday and decided . . .

Hope for the best, plan for the worst . . .

23

Status of the Enhanced Safeguards

www.steptoe.com

Ramifications of the Safeguards

So, what do the Safeguards mean for REGISTRIES?

– Tighter rules on security

and Whois data checks

– Additional oversight, cost,

and investigative

responsibilities

– More hands on approach for registries to police their TLDs and

enforce their acceptable use policies to ensure compliance with

applicable laws

– Increased exposure?

24 www.steptoe.com

And, if you want [yourfirm].FUND or [yourfirm].INVESTMENT or

[yourfirm].INSURE, what do the Safeguards mean for

REGISTRANTS?

– Greater record keeping and data disclosure obligations

– New or enhanced security measures to safeguard consumers’

information

– Additional oversight responsibilities

– Adherence to multijurisdictional laws

– Proactive protection of domain assets

25

Ramifications of the Safeguards

www.steptoe.com

26

III. Key Considerations as

Financial Sector Brand Owners

www.steptoe.com

The Internet Can Be a Dangerous Place

38% of fraud cases are due to email and 12% are due to

websites – in other words, the Internet is used to enable

HALF of all fraud each year (FTC Consumer Sentinel Network

2012 Report)

The increase in domains will provide a wealth of options for

miscreants

Over half of the new TLD applications are generics

– Minimum controls

– Maximum competition

27 www.steptoe.com

The Internet Can Be a Dangerous Place

28

Abusive

domains

increased by

25% from Dec.

2012-May 2013

Even though the

rate at which

they are being

removed is

increasing, it

cannot keep up

with the rate of

abuse NameSentry Report 2013, Architelos Inc.

www.steptoe.com

Key Considerations For Brand Owners

As brand owners, you need to consider how you will respond to

the coming mass expansion

– Trademark Clearinghouse now

– Strategize offensive/defensive registration

– Prepare to combat – and budget for – enforcement

• Registration fees

• TMCH fees

• Policing and remediating domain name abuse

– Security risk mitigation, especially in open TLDs

29 www.steptoe.com

The Trademark Clearinghouse

Repository of verified rights information – a database for

verified trademarks

(1 ) Sunrise and (2) Claims Service

– Pre-public access

– Notification of attempts to register domains matching your marks

– Not intended to “block” domain name registrations

– Does not alert to registrations incorporating confusingly similar marks

(3) TM+50: claims notices for up to 50 labels

30 www.steptoe.com

Proactive Brand Protection

Assess global trademark portfolio to determine potential marks to

be submitted to the TMCH

– Organize potential submissions into priority tiers:

• Importance in the marketplace

• Geographic reach

• Likelihood of infringement

• Potential impact of infringement

• Longevity of mark (i.e., marks that may be phased out in the near future or

that are due to be divested may be a lower priority)

31 www.steptoe.com

Proactive Brand Protection

Assess potential registries for participation in Sunrises and

Landrush

– Determine potential TLDs for registration:

• Industry relevance

• Geographic terms

• IDNs

• Future product offerings

• Likelihood of and impact of infringement in particular TLDs

Audit existing domain portfolio – clean out the attic

32 www.steptoe.com

Enforcement

Post-

Launch

Uniform

Domain

Dispute

Resolution

Procedure

(“UDRP”)

Independent administrative proceeding to

resolve disputes over alleged abusive domain

name registrations / alternative to court for

pursuing cases of cybersquatting

Uniform

Rapid

Suspension

System

(“URS”)

Intended to provide rapid relief to trademark

holders for the most clear-cut cases of

infringement

Post-

Delegation

Dispute

Resolution

Procedure

(“PDDRP”)

For trademark holders to address any large-

scale infringement concerns directly at the

registry level where the registry profits from bad

faith registrations / failure to live up to

contractual promises to ICANN/safeguards

33 www.steptoe.com

Enforcement

There is nothing (yet) to stop the endless permutations of

*[yourfirm]*.TLD that could be registered and used for malicious

purposes

Enforcing against this abuse is a MUST for brand and reputation

protection, especially in sensitive sectors

Failure to be vigilant could harm your customers, attract

regulatory scrutiny, and mean a failure to comply with your

domain’s Terms of Use

Budget for UDRP/URS proceedings

Budget for abuse monitoring, including in IDNs

34 www.steptoe.com

Internet-Based Threats to

Financial Sector Entities

Altering DNS information is a common objective of a registration

account compromise

Unauthorized access to domain registration from compromised

account identities and authentication credentials

Unsecure email from registrars, ICANN, TMCH, vendors,

registries, etc.

Is web access to a

registration account

necessary to you?

35 www.steptoe.com

Protect account credentials

Domain name registrations are an asset and should be included

in business processes such as asset management and risk

management programs

Maintain documentation to prove registration

Domain Name points of contact considerations

Monitor for Whois and DNS change activity

Monitor domain code status

Monitor FS-ISAC

36

Risk Mitigation

www.steptoe.com

Monitor open TLDs – contact the registries and pursue

complaints including using the PDDRPs

Look for registrars that aggressively monitor and respond to

registrar impersonation attacks

Make sure there is an abuse point of contact and know when

they are available

Customer communication – prepare your customers to

understand that if a communication does not come from certain

domains, it’s NOT FROM YOU

Compliance with Safeguards and applicable, multi-jurisdictional

laws – audit

37

Risk Mitigation

www.steptoe.com

How to Contact Us

38

Tony Onorato

(212) 506-3933

tonorato@steptoe.com

Follow me for gTLD updates

@TonyOnorato

Alexis Hunter

(212) 506-3934

ahunter@steptoe.com

Internet, New gTLD & Domain Name Services

http://www.steptoe.com/practices-319.html

Thank you for joining us.

www.steptoe.com