The Internet Big Bang: Implications for Financial Services Brand Owners

Transcription

1 The Internet Big Bang: Implications for Financial Services Brand Owners Tony Onorato, Alexis Hunter September 12, 2013

2 Who We Are & What We Do Tony Onorato and Alexis Hunter are long-time commercial litigators with extensive experience as gtld practitioners We advised clients representing nearly 10% of all gtld applications filed worldwide in 2012 Industry-leading clients in the financial services, insurance, software and media, entertainment, Internet, and fashion sectors, on all aspects of gtld policy development, technical aspects of registry operation, and business planning 2

3 Today s Learning Event I. Overview of ICANN & New gtld Program II. III. Program Implications for Financial Sector Companies Key Considerations as Financial Sector Brand Owners A. Brand Protection B. Enforcement C. Risk Mitigation 3

4 I. Overview of ICANN & New gtld Program 4

5 What is ICANN? ICANN is a global multi-stakeholder organization that collaborates with companies, individuals, and governments to oversee development and implementation of Internet policy and standards for technical operations Promotes competition and a secure, stable and interoperable Internet 5

6 Domain Name Hierarchy Top-Level Domain: label to the right-most of the dot Second-Level Domain: label to the left of the dot acquired through a registrar Third-Level-Domains: may be used to direct traffic to an even more specific location on the Internet; usually used to refer to a specific server in an organization 6

7 Domain Name Registration Actors Registry in charge of database of domains ending with a particular top-level domain Registrar sells rights to use particular second-level domains Registrant purchases right to use second-level domain for a designated period of time 7

8 Past Expansion & the Origins of the New gtld Program 23 gtlds in operation There are also 250 cctlds for geo locales (.jp,.co,.uk,.me,.us) In 2005, ICANN commenced policy formulation on large-scale top-level expansion 8

9 New gtld Program In a Nutshell 1,930 applications submitted; approx. 1,800 remain Application Fee = $185,000 per Virtually any gtld could be applied for: Generics:.INC,.ART,.BOOK,.WTF,.SEXY,.PIZZA Brands:.GOOGLE,.WALMART,.NETFLIX,.NBA Geographics:.NYC,.LONDON Communities:.ECO Internationalized Domain Names (IDNs) in non-latin scripts such as Arabic, Cyrillic, and Lao: 點看 (Chinese dot com ); بازار (Arabic bazaar ) 1,400 or so new gtlds could be delegated by

10 10

11 11

12 Financial Brand TLDs 12

13 II. Program Implications for Financial Sector Companies 13

14 The GAC Attacks: GAC Advice The GAC provides government advice to ICANN on issues of public policy In April, the GAC recommended one set of Safeguards for all new gtlds And one for market sectors which have clear and/or regulated entry requirements such as the financial sector, broadly including banks, lenders, investment houses, insurers, etc. 14

15 What Is the GAC Concerned About? Consumer Protection, Sensitive Strings, and Regulated Markets These strings are likely to invoke a level of implied trust from consumers, and carry higher levels of risk associated with consumer harm. 15

16 Safeguards Adopted for All TLDs 1. WHOIS Verification and Checks Registry operators punish 2. Mitigating Abusive Activities 3. Security Assessments and Reporting Actual risk of harm 4. Documentation of WHOIS Checks, Security Threats & Actions Taken 5. Making and Handling Complaints 6. Consequences Real and immediate 16

17 Non-exhaustive List of Financial TLDs Targeted for GAC Enhanced Safeguards.capital.financial.loans.trading.cash.financialaid.market.autoinsurance.broker.forex.markets.bank.brokers.fund.money.banque.claims.investments.pay.carinsurance.exchange.lease.retirement.credit.finance.loan.save.creditcard.mutuelle.netbank.reit.tax.creditunion.insurance.insure.ira.lifeinsurance.mortgage.mutualfunds.versicherung.vermogensberatung.vermogensberater Open / Restricted Open / Closed 17

18 Proposed Enhanced Safeguards If adopted by ICANN in their present form: ES1: Include in its acceptable use policies requirement that registrants comply with all applicable laws, including, e.g., those related to privacy, data collection, consumer protection (including in relation to misleading and deceptive conduct), fair lending, debt collection, and data and financial disclosures ES2: Require registrars, at the time of registration to notify registrants of ES1 Data breach lead to loss of domain? Operator responsible for its registrants? 18

19 Proposed Enhanced Safeguards ES3: Registry operators will require that registrants who collect and maintain sensitive health and financial data implement reasonable and appropriate security measures commensurate with the offering of those services, as defined by applicable law and recognized industry standards Reasonable and appropriate security measures? Recognized industry standards? ES4: Establish a working relationship with the relevant regulatory, or industry self-regulatory, bodies, including developing a strategy to mitigate as much as possible the risks of fraudulent, and other illegal activities Unresponsive regulatory bodies? Who determines for, e.g.,.broker? 19

20 ES5: Registrants must be required by the registry operators to notify to them a single point of contact which must be kept up to date, for the notification of complaints or reports of registration abuse, as well as the contact details of the relevant regulatory, or industry self regulatory, bodies in their main place of business Relevant bodies? Proposed Enhanced Safeguards Regulatory bodies receive complaints? 20

21 Proposed Enhanced Safeguards ES6: At the time of registration, the registry operator must verify and validate the registrants authorisations, charters, licenses and/or other related credentials for participation in that sector Change nature of open TLDs? ES7: In case of doubt with regard to the authenticity of licenses or credentials, Registry Operators should consult with relevant national supervisory authorities, or their equivalents Potentially discriminatory? 21

22 Proposed Enhanced Safeguards ES8: The registry operator must conduct periodic postregistration checks to ensure registrants validity and compliance with the above requirements in order to ensure they continue to conform to appropriate regulations and licensing requirements and generally conduct their activities in the interests of the consumers they serve Potentially discriminatory? 22

23 Status of the Enhanced Safeguards ICANN put on HOLD on the Financial Sector (and other) TLDs The NGPC met on Tuesday and decided... Hope for the best, plan for the worst... 23

24 Ramifications of the Safeguards So, what do the Safeguards mean for REGISTRIES? Tighter rules on security and Whois data checks Additional oversight, cost, and investigative responsibilities More hands on approach for registries to police their TLDs and enforce their acceptable use policies to ensure compliance with applicable laws Increased exposure? 24

25 Ramifications of the Safeguards And, if you want [yourfirm].fund or [yourfirm].investment or [yourfirm].insure, what do the Safeguards mean for REGISTRANTS? Greater record keeping and data disclosure obligations New or enhanced security measures to safeguard consumers information Additional oversight responsibilities Adherence to multijurisdictional laws Proactive protection of domain assets 25

26 III. Key Considerations as Financial Sector Brand Owners 26

27 The Internet Can Be a Dangerous Place 38% of fraud cases are due to and 12% are due to websites in other words, the Internet is used to enable HALF of all fraud each year (FTC Consumer Sentinel Network 2012 Report) The increase in domains will provide a wealth of options for miscreants Over half of the new TLD applications are generics Minimum controls Maximum competition 27

28 Abusive domains increased by 25% from Dec May 2013 Even though the rate at which they are being removed is increasing, it cannot keep up with the rate of abuse The Internet Can Be a Dangerous Place NameSentry Report 2013, Architelos Inc. 28

29 Key Considerations For Brand Owners As brand owners, you need to consider how you will respond to the coming mass expansion Trademark Clearinghouse now Strategize offensive/defensive registration Prepare to combat and budget for enforcement Registration fees TMCH fees Policing and remediating domain name abuse Security risk mitigation, especially in open TLDs 29

30 The Trademark Clearinghouse Repository of verified rights information a database for verified trademarks (1 ) Sunrise and (2) Claims Service Pre-public access Notification of attempts to register domains matching your marks Not intended to block domain name registrations Does not alert to registrations incorporating confusingly similar marks (3) TM+50: claims notices for up to 50 labels 30

31 Proactive Brand Protection Assess global trademark portfolio to determine potential marks to be submitted to the TMCH Organize potential submissions into priority tiers: Importance in the marketplace Geographic reach Likelihood of infringement Potential impact of infringement Longevity of mark (i.e., marks that may be phased out in the near future or that are due to be divested may be a lower priority) 31

32 Proactive Brand Protection Assess potential registries for participation in Sunrises and Landrush Determine potential TLDs for registration: Industry relevance Geographic terms IDNs Future product offerings Likelihood of and impact of infringement in particular TLDs Audit existing domain portfolio clean out the attic 32

33 Post- Launch Uniform Domain Dispute Resolution Procedure ( UDRP ) Uniform Rapid Suspension System ( URS ) Post- Delegation Dispute Resolution Procedure ( PDDRP ) Enforcement Independent administrative proceeding to resolve disputes over alleged abusive domain name registrations / alternative to court for pursuing cases of cybersquatting Intended to provide rapid relief to trademark holders for the most clear-cut cases of infringement For trademark holders to address any largescale infringement concerns directly at the registry level where the registry profits from bad faith registrations / failure to live up to contractual promises to ICANN/safeguards 33

34 Enforcement There is nothing (yet) to stop the endless permutations of *[yourfirm]*.tld that could be registered and used for malicious purposes Enforcing against this abuse is a MUST for brand and reputation protection, especially in sensitive sectors Failure to be vigilant could harm your customers, attract regulatory scrutiny, and mean a failure to comply with your domain s Terms of Use Budget for UDRP/URS proceedings Budget for abuse monitoring, including in IDNs 34

35 Internet-Based Threats to Financial Sector Entities Altering DNS information is a common objective of a registration account compromise Unauthorized access to domain registration from compromised account identities and authentication credentials Unsecure from registrars, ICANN, TMCH, vendors, registries, etc. Is web access to a registration account necessary to you? 35

36 Protect account credentials Domain name registrations are an asset and should be included in business processes such as asset management and risk management programs Maintain documentation to prove registration Domain Name points of contact considerations Monitor for Whois and DNS change activity Monitor domain code status Monitor FS-ISAC Risk Mitigation 36

37 Risk Mitigation Monitor open TLDs contact the registries and pursue complaints including using the PDDRPs Look for registrars that aggressively monitor and respond to registrar impersonation attacks Make sure there is an abuse point of contact and know when they are available Customer communication prepare your customers to understand that if a communication does not come from certain domains, it s NOT FROM YOU Compliance with Safeguards and applicable, multi-jurisdictional laws audit 37

38 How to Contact Us Tony Onorato (212) Alexis Hunter (212) Follow me for gtld Internet, New gtld & Domain Name Services Thank you for joining us. 38