As more economic activity occurs online, internet domain addresses are increasing in value, especially for small- and medium-sized businesses. Businesses of all sizes need to pay attention to the security of their internet domain addresses, and a recent EDVA decision highlights the dangers of losing control of a business’s domain address.
In Jacobs Private Equity, LLC v. <JPE.com>, Case No. 1:16-cv-01331, 2017 WL 830397 (E.D. Va. Feb. 2, 2017), Magistrate Judge Ivan D. Davis faced a “cybersquatting” claim that is becoming more common. Plaintiff Jacobs Private Equity, LLC, operated www.jpe.com as its website for over 12 years. One day, however, its employees suddenly found that their login credentials to the website no longer worked. According to the Complaint, an employee was the victim of an email “phishing” scheme where she was conned into divulging her login credentials. The hackers then logged into the internet domain registry and changed the password to the business’s account. As a result, the business lost control over its website and email addresses, and a new entity registered its purported ownership of the domain address.
Represented by Mark H. M. Sosnowsky of Drinker Biddle’s DC office, the business filed suit in the Eastern District of Virginia under the federal Anti-Cybersquatting Consumer Protection Act (the “ACPA”), 15 U.S.C. § 1125(d), et seq. The Eastern District frequently sees these actions because many of the most popular internet domain registrars have offices in northern Virginia. In this case, VeriSign, Inc., served as the registry, and it has an office in Reston, Virginia.
Suing an Internet Address
In a marriage of ancient legal principles and new information technology, a lawsuit under the ACPA is an in rem action against the internet domain address itself (and similar to an in rem action against a parcel of real estate or tangible personal property). While the actual internet domain address is named as a defendant, the real defendant is, of course, the party who registered the address.
An ACPA action also involves elements of traditional trademark law. In fact, the ACPA is part of Title 15 of the U.S. Code which focuses on federal law governing trademarks, also commonly referred to as the Lanham Act. Under the ACPA, a court may order the forfeiture or cancellation of a domain name, or transfer of a domain address to the rightful owner of the mark. The ACPA applies, for the most part, to marks that are distinctive or famous.
A Common Problem
Fraudulent phishing schemes, such as the one that snared Jacobs Private Equity, are unfortunately increasingly common. The usual pattern for this scheme is that bad actors outside of the United States will either take over the registration for a valuable website, or will watch for a non-renewal of registration for an active website. The new party will swoop in, register the domain, and then offer to sell the domain back to the previous user for exorbitant amounts. This frequently ensnares small businesses who fail to renew a website registration, such as by relying upon an expired credit card for an expected “auto-renewal” that never occurs. The ACPA was enacted in 1999 in hopes of curbing such problems.
Elements of an ACPA Claim
Judge Davis’s opinion provides a useful roadmap for cybersquatting claims. Treating an internet domain address as a trademark, a plaintiff must prove two elements to succeed on a cybersquatting claim:
- The domain name is identical or confusingly similar to the plaintiff’s mark.
- The registrant had bad-faith intent to profit from the domain name.
Traditional Trademark Law
The ACPA protects both registered trademarks and unregistered, common law marks. While a common course of action for a business is to register its trademarks with the U.S. Patent & Trademark Office, a business may also acquire common law trademark rights by actual use of the mark in the market place. For example, a small jewelry shop that has operated for 15 years as “Kitty’s Fine Jewelry” likely has a common law trademark rights in the name. And if that small jewelry shop also operated a website (such as www.kittysfinejewelry.com), it will likely have a strong ACPA claim against a subsequent registration of the domain by a party acting in bad faith. A business need not make a formal registration with the USPTO to have such protection.
Proving Bad Faith
Proving “bad faith intent” is often the challenge in these types of cases. Because we cannot see into a person’s mind to determine intent, the ACPA sets forth nine “factors” that a court “may consider” in determining a person’s intent. These factors operate as non-exclusive guides to the court (which is a concept similar to the common law “badges of fraud” used in traditional fraudulent conveyance law). The nine factors under § 1125(d)(1)(B)(i) are as follows:
- Any preexisting trademark or other rights in the name used in the domain address.
- Whether the domain name contains the legal name of the person or a name that is commonly used to identify the person.
- Prior use of the domain name in connection with bona fide goods or services.
- Legitimate noncommercial or fair use of the mark in a site that uses the mark in the domain address.
- Intent to divert consumers from the mark owner’s online location to another site that could harm the goodwill represented by the mark.
- Whether the person offered to sell the domain name back to the mark owner for financial gain without having used the domain in any legitimate business activities. (This factor also includes whether the person has engaged in such activity in the past, indicating a pattern of such conduct.)
- Providing false or misleading contact information during the registration of the domain address.
- Acquiring multiple domain names which are identical or confusingly similar to multiple preexisting marks.
- Whether the mark is distinctive or famous at the time of registration of the domain name.
Of course, not all of these factors will apply in a given case, and there is no set standard for how many factors need to be present to establish bad faith. Rather, a court has wide-latitude in these fact-intensive cases.
Service of Process Issues
In Jacobs Private Equity, the new registrant of the disputed internet domain address never responded to the complaint, so Judge Davis recommended that a default judgment be entered. In Judge Davis’s Report and Recommendation (“R&R”), he first focused on the efforts that the plaintiff went to effect service of process. The plaintiff tried the telephone number, mailing address, and email address listed by the new registrant, but all turned out to be bogus. The plaintiff then sought court approval to publish notice of the lawsuit in The Washington Times. Once this was accomplished, the court was satisfied that the default judgment could be granted.
The Plaintiff Prevails
Even though the defendant defaulted, Judge Davis still performed the ACPA statutory analysis in his R&R. He determined that the plaintiff had a valid common law trademark rights in “JPE” and that the new registrant acted in bad faith by providing bogus contact information to VeriSign, among other factors. No objections to Judge Davis’s R&R were ever filed, and on March 2nd, District Judge Liam O’Grady adopted the R&R in full, ordering the internet register to return the domain address to the plaintiff.
Alternatives to Litigation
While the ACPA provides a legal remedy in federal court, aggrieved mark owners can also pursue an administrative challenge to bad-faith registration. Known as a “Uniform Domain Name Dispute Resolution Policy” (“UDRP”) proceeding, the action is essentially a private arbitration filed with the internet registry overseeing the disputed domain. While it can be faster and cheaper than litigation, the range of remedies allowed in such an arbitration are fewer than those available from a federal court. And a successful arbitration can have little or no deterrence or precedential value against other cybersquatters targeting a specific website.
The ACPA provides a legal remedy to businesses and individuals who have been victimized by the theft or loss of control of their internet domains. The statutory framework is straight-forward, but proving bad-faith intent can be challenging, especially when defendants evade service of process or mask their identities. Yet, with the rise of online commerce (especially for small- and medium-sized businesses), we will likely see more incidents of stolen internet websites, and by virtue of the Eastern District’s geographic location, more cybersquatting claims brought in this court.