New approaches to an old problem: the evolution of online brand protection

In the online world, what worked 12 months ago may not now, meaning that brand protection professionals must constantly reassess their approach, seek out new partners and ensure business buy-in to the mission. In this roundtable discussion, a panel of industry thought leaders – Accenture’s Jeffrey Fridman, MarkMonitor’s Statton Hammock and Sarah Bro and Christina Martini of McDermott Will & Emery – consider the latest tools and tips for proactively fighting infringement and managing brand reputation online, taking in social media best practice, how to police messaging platforms and apps, and how to deal with multi-platform infringement, as well as exploring how online actions can be turned into real-world wins.

Trademark experts are now used to the new gTLD environment. As we await round two, what are the key brand protection lessons that you take from the first wave of new gTLDs?

Statton Hammock (SH): Three key lessons from round one come to mind. First, the additional rights protection mechanisms that were developed and incorporated into the first application round helped to keep the number of cybersquatting cases down much lower than the number that occur in legacy TLDs (eg, ‘.com’ and ‘.net’) and ccTLDs. Second, concerns among some brand owners that individuals would register their trademarks after the dot in a new gTLD did not materialise. Brand owners should consider filing for their ‘.brand’ in the next application round but not because of fear that someone will register their trademarks in a new gTLD. Third, it is neither necessary nor strategic (and certainly not cost-effective) to register your trademark in each and every new gTLD. Register your brand in gTLDs that relate to your industry and explore which registries’ blocking services are most cost-effective for your budget. For instance, McDonald’s should register its brand in a ‘.food’ TLD but not in a ‘.lawyer’ TLD and should consider whether a Domain Protected Mark List block, for example, makes sense for its ‘crown jewel’ brands.

Jeffrey Fridman (JF): Given the sheer number of public gTLD registries, the notion of an effective ‘defensive’ domain name portfolio is becoming increasingly difficult to achieve and justify. Securing and maintaining even your primary house mark or corporate brand across the broad expanse of available gTLDs can be a moving target – and cost- prohibitive. As a result, early and effective brand monitoring and domain name watching services are more crucial than ever, as is constant communication and collaboration between information security and IP teams. While many cybersquatters and online criminals will require whack-a-mole enforcement actions, there are instances in which layered approaches from information security (eg, access control restrictions) and brand enforcement providers or platforms (eg, tracking and logging repeat infringers) can provide brand owners with creative solutions for addressing online infringement, without the need to secure (and renew) every available brand-formative gTLD in a domain name portfolio.

The UDRP is up for scrutiny as part of ICANN’s review of rights protection mechanisms. Are there any changes that you would make to the policy and is there a danger that its effectiveness could be negatively affected post-review?

Sarah Bro (SB): One key gap in the effectiveness of the UDRP is the ability to combat and address, in a timely fashion, instances of fraudulent criminal activity using branded domain names. While registrars have some authority to suspend the Domain Name System (DNS) in response to clearly fraudulent activity, the evidentiary threshold is quite high and the registrars tend to invoke their suspension authority rarely, begrudgingly and inconsistently. One potential solution for shoring up this gap in the policy is to grant additional authority to UDRP case managers or panellists to temporarily suspend the DNS when substantial proof of fraudulent criminal communications – for example, proof of email communications (with headers) that show clear impersonation of the petitioner’s brand through use of the disputed domain name – can be demonstrated.

Another suggested change is to revise and clarify the policy under Section 4(c) (ii) to prevent common loopholes and bad-faith workarounds for demonstrating rights or legitimate interests in a disputed domain name. For example, a domain name registrant should not be able to register a corporate entity for FAMOUS BRAND X CORP and then point to that disingenuous corporate name as evidence of a right or legitimate interest in the otherwise infringing domain name without a more critical evidentiary review or burden of proof.

SH: By nearly every measure, I would say that the UDRP has been an effective means for acquiring domain names registered in bad faith. I do not foresee any material changes to the policy, perhaps only changes in its administration, nor do I foresee its effectiveness being diminished post-review.

Are there any URS and/or UDRP decisions that you feel have been particularly noteworthy over the past 18 months?

Christina Martini (CM): We are always interested in UDRP decisions that address common fact patterns in online infringement. In late 2019, WIPO’s decision in Nationwide Mutual Insurance Company v Privacy Administrator, Anonymize / “Manu Miglani”, Privacy Gods Limited / Epik Inc (D2019-1816, WIPO, 10 October 2019) (‘nationwideexcessandsurplus.com’) was a boon for brand owners, calling out bad-faith behaviour when the respondent is also the registrar (often as a domain reseller or portfolio owner) and noting that the respondent in its role as a registrar should be well aware of its obligations not to violate the trademark rights of others. Around the same time, however, the forum raised some concern for brand owners that take early action on infringing domain names with its decision in Deseret Digital Media v Jacob Korman / Korman Services (FA1909001863090, Forum, 28 October 2019), when the panel held that the use of a disputed domain name to redirect internet users to a parked page for “only a short period of time” (here, just shy of one month) alone does not indicate bad faith. This decision potentially grants more time and leeway for a bad-faith registrant to attempt to demonstrate some legitimate use of an infringing domain name.

SH: I would point to Gas Monkey Holdings v Tony Anastasia (FA1905001844555, Forum, 12 June 2019) for the sheer humour of it. While the domain name ‘fartmonkeygarage.com’ suggests that the respondent is ribbing the complainant (Gas Monkey Garage), the panel found no concrete evidence to support that claim. It humourlessly (and disappointingly) assessed use of the terms ‘fart’ and ‘gas’ and decided that these refer to different experiences – rejecting any notion that the words refer to flatulence.

Turning to social media, what are the fundamental elements to include in an internal social media policy and how should this be communicated to staff?

SH: There are a range of guidelines that should be communicated to staff during an internal webinar or similar training for all employees and through the employee handbook. These include the following rules:

• Do not disclose or speculate on non-public financial or operational information.
• Do not disclose personal or private information about other co-workers.
• Do not disclose a company’s confidential or proprietary information.
• Do not discuss company policies or work-related legal proceedings or controversies.
• Do not post negative content or defamatory, libellous, offensive or demeaning material or other types of content that may relate to drugs, alcohol or tobacco, pornography or other offensive or illegal material.
• Do not post others’ material (eg, photographs, articles or music) without ensuring that they have granted appropriate permission to do this.
• If you write to endorse a product or service of the company, you must disclose that you are an employee of the company.
• Do not plagiarise material (ie, using content that is already published).
• Remember that all posts are subject to the terms of use for the particular blog or social networking site; therefore, review the terms of use before posting any content.

JF: When crafting a social media policy, one of the key things to keep in mind is that social media, at its heart, is not one area of law. Social media requires consideration of IP issues, as well as regulatory, employment, data privacy and information security issues, among others. Therefore, the implementation of an effective social media policy is a balancing act. Modern companies not only accept that their employees will be active on social media, in many cases, they encourage it. Employees can be some of the best brand stewards that a company has. At the same time, overly restrictive or authoritarian policies can face issues as to enforceability and breed employee discontent. An ideal social media policy will foster a culture of communication, centring around ideas of thoughtfulness and transparency. As a general policy, if an employee is speaking on social media about topics relevant to their employer’s business, it should be clear that they are not speaking on behalf of their employer.

What initial steps should a rights holder take when it discovers cases of infringement or brand misuse on social media, including how to assess the likelihood of a backlash if it takes the wrong approach?

SH: Most social media sites have written policies that explain the process for reporting various types of abuse occurring on their platform. The first step is to report the infringement to the social media platform. If no action is taken, the next step is to contact the abuser and send a cease and desist letter. The language used in that letter will depend on the circumstances surrounding the infringement.

SB: It is important to develop a working knowledge of the terms of use and the infringement complaint requirements across popular social media platforms. Ensure that you fully understand the requirements for a particular infringement submission or takedown notice and get it right the first time! In other words, be clear and accurate, avoid abusing any social media policy beyond its limits and make it easy for the reviewer to act on your infringement submission in the first instance by meeting the platform’s required formalities. As in all areas of business, relationships matter – including those with social media legal departments and gatekeepers. No matter how frustrating an infringement may be to your internal teams or clients, maintain respectful and cordial communications with social media staff and do your part to help them do their job. For example, maintain detailed records of instances of infringement to allow for swift action with respect to repeat infringers.

Finally, do your best to manage expectations. Not all uses of a brand owner’s intellectual property are infringing under social media policies or applicable laws. Often, the initial reaction is to want to take action against negative speech, but such speech may be legally defensible under fair use or other legal safeguards.

Infringers have proved canny in adopting multi-platform approaches, often advertising in one environment, then directing users to a second to complete the transaction. How should trademark professionals build protection programmes that allow a multi-platform approach?

CM: Work to build an effective network of international counsel, particularly in countries such as China, where social media platforms tend to differ greatly from those used in other major markets. Constantly evaluate new offerings from brand protection vendors for expanding watching services. For example, AI and other information security tools are changing the ways in which vendors can monitor platforms that are traditionally challenging to access, such as ‘hangouts’ or niche messaging platforms. In addition, consider expanding trademark watch services beyond your key brands to include the names of those in your C-suite, high-profile business partners and the like. Sophisticated fraudsters can leverage the reputation of known leaders or partners of a company just as easily as leveraging the brand itself.

SH: I would add that trademark professionals should focus on the e-commerce platform that enables the fraudulent transaction and should not spend time chasing numerous other sites that direct consumers to that platform. What matters most is stopping the transaction. Another good strategy is to report the problem to the payment processor in addition to the platform host.

Do you have any tips for policing messaging platforms and the app environment specifically?

JF: Because there are new platforms entering the market every day, the first step is to stay informed about use trends and assess where the most potentially harmful infringement is likely to pop up. Across messaging platforms and apps, it is important to build effective relationships with the platforms and to comply with each platform’s infringement and takedown policies – try to avoid creating a reputation for over-asserting IP rights or exceeding the scope of the platform’s IP policies.

Internally, partner with your information security teams to implement training and communication protocols in the face of infringement or problematic platform uses. Information security might not be able to remove instances of infringement, but they will often have tools to block suspicious accounts, domains or IP addresses from communicating with employees on company machines. Often, this approach can be far quicker and more effective than formal enforcement proceedings and can mitigate harm while you determine the most appropriate strategies going forward.

SH: There are several software providers with tools that enable brands to police app stores and messaging platforms. At the moment, a technical solution is the most efficient way to address these forms of abuse.

Protection efforts are sometimes best handled by following the money and targeting bigger-picture actions, rather than focusing on instant takedowns. How should brands decide which tactic is the most appropriate?

SB: Start with separating the commonplace infringer or nuisance cybersquatter from the malicious, fraudulent actor. They may display similar profiles early on, but getting a clearer picture of the full scope or network of infringement can guide your enforcement strategy and can help to avoid inefficient, piecemeal enforcement actions that may not get to the heart of the potential harm. It also helps to educate your stakeholders and clients on what constitutes a successful outcome in these complicated infringement scenarios. For instance, reducing a fraudster’s footprint may not add to the bottom line, but it may prevent significant financial loss and brand harm resulting from that fraud if left unchecked.

If it becomes necessary to involve law enforcement, invest in corporate investigations (internal or external) to gather as much information as you can, including – if possible – where the fraudster is located. Reporting cybercrime to local law enforcement in your home country may be entirely ineffective for a sophisticated, organised crime being conducted half a world away.

SH: Unless the brand owner has considerable resources to pursue the takedown of multiple websites and infringements, the best approach is to be patient and try to shut down the network hub of the infringing party. As suggested earlier, a good approach is to focus on the platform that enables the fraudulent transaction.

When it comes to measuring the impact of online brand protection efforts, what key metrics would you recommend and why?

SH: There are two key metrics. First is the number of instances of infringement that are detected on search engines and marketplaces, compared to the number of instances before a brand protection plan was implemented. If the new figure is drastically lower than the original, then the efforts are successful. Second is the number of consumers that have been confused by the infringement. Once again, if this new figure is lower after a brand protection strategy has been implemented, then the efforts are successful.

CM: When it comes to protecting valuable brands from rampant online infringement, there is almost never a monetary return from your enforcement victories. Instead, an effective online brand protection strategy is about getting the biggest bang for your dollar. How early are you identifying potential problems? Are you taking proactive efforts based on watching services or are you only learning about an instance of infringement or fraud after the harm has occurred?

A successful metric of your education and training efforts might be when you see your own people flagging suspicious activity and raising it to the right teams before any action is taken.

You cannot control how many people try to infringe your brand, but you can control how you react. Create a brand around your own enforcement activities. Become known as the brand owner that never pays a cybersquatter to save a few dollars; be the brand that pursues instances of enforcement across all platforms and for all new infringer-created accounts. You may not be able to turn an infringer into a good citizen, but you can become the brand that is known for its relentless, effective enforcement programme so that infringers learn not to pick your brand as a target.

Finally, are there any other issues that you would like to raise?

JF: I think it is worth highlighting the importance of setting up policies that make it easy for vendors, clients or recruits to identify questionable activity. For example, set out clear ways that your business might request changes in payment details. Clarify, in writing, that any request to change payment details outside of this established process should be ignored and reported immediately before any changes are made. Educating your own people is important, but vigilance against these activities requires concerted education directed to the individuals and businesses that your client interacts with every day.

In addition, many social platforms are trying to assist brand owners by creating ways to ‘verify’ or ‘authenticate’ official accounts and handles. Make sure that you are establishing these where you can so that fake and infringing accounts stand out as not having the same authentication language as your official accounts. Finally, maintain the exclusivity of your online profiles and websites by limiting the number that your business creates. If you have one (or a handful) of official Facebook accounts, a newly created account is likely to stick out. But if you have 200, the 201st might not be as easily identified as a fake.