A Domain by Any Other Name: Protecting Your Domain from Casual Hijackers
For most businesses its website and email systems are its life blood. These can both be compromised if you lose control of your domain name, the “x.com.au” or “y.net.au”. Recently Scott Morrison provided an example that this can happen to anyone, even a well-resourced digital media team. During the Wentworth byelection they lost control of the domain scottmorrison.com.au. The domain wasn’t hijacked by a sophisticated hacker, just a suitably opportunistic individual with a credit card. The individual simply registered the domain in his own name after the registration was accidentally allowed to expire.
How can this happen?
If your domain expires it is published on a daily “drop list” managed by the domain authority, in the case of “.au” domains, this is an organization called. AU DOMAIN ADMINISTRATION LTD (auDA). Third parties can watch these lists, and when a juicy domain passes the expiry date can register it.
To be eligible criteria for registering a domain name is that the individual has:
- A company registered in Australia
- Operates under a registered business name in any Australian State or Territory
- An Australian partnership or sole trader
- An overseas company licensed to trade in Australia
- An owner of an Australian Registered Trade Mark
- An applicant for an Australian Registered Trade Mark
- An association incorporated in Any Australian State or Territory
- An Australian commercial statutory body
But in practice the eligibility checking is limited, and often a domain name can be registered just by holding a valid ABN. Due to the high volume of registrations, it is left to businesses to enforce and protect their own domain names if registered by a third party.
What problems does it cause?
Aside from the loss of your web presence, losing control of the domain name can have other security and privacy implications. Aside from the business interruption from not receiving emails, the new domain owner can capture emails that are addressed to the domain. This can include private and confidential information such as client orders and account details, privileged information sent to you by lawyers, and information sent to you by the ATO. In addition, it may allow the new domain owner to reset passwords for websites, as they can capture the password reset emails sent to your domain.
What to do?
If you inadvertently lose the rights to your domain name, there are certain actions you can take.
The first and easiest step is to contact the new owner of the domain name and enquire whether they are willing to return the domain name back to you. If this is unsuccessful, the next step is to contact the company you registered the domain through as they may have certain policies or dispute processes to rectify the issue.
A more formal step is to apply to auDA under its domain dispute process for the domain to be transferred back to you. This is a quasi-judicial process heard by a tribunal appointed by auDA, in accordance with its dispute policy or the World International Property Organisation rules.
In order to have your domain transferred back to you, generally you will be required to demonstrate:
- The domain name is identical or confusingly similar to a business or company name, or trade mark you have rights to
- The new domain owner has no rights or legitimate interests in the domain name
- The domain name has been registered or used in bad faith, which includes registration
- For the purpose of selling the domain back to you for an inflated amount
- To prevent you using your registered trade mark in a domain
- For the purpose of disrupting your business
Remember, your registration of a company or business name does not give you protection for your use of that name. So, it may be important to register a trade mark to protect your users, and to make it easier to reclaim your domain. If you don’t have a trade mark it can be challenging to establish your right to use the domain name.
Because of the quasi legal nature of this tribunal you should seek legal advice to prepare your arguments. There is no appeal of the auDA decision, however, you may have other options, such as a formal court action for things like misleading and deceptive conduct, trade mark infringement, or passing off.
What can you do to protect against it?
Maintaining a domain name may appear to be a trivial thing, however, it can be easily forgotten. To ensure that you are adequately protected you should consider:
- Registering a Trade Mark
- Setting reminder of domain expiry dates when you register
- Choosing to auto renew domain names, if this is available
- Notifying customers and any other relevant people of the changes in email address or if you are ceasing business or changing business name.
The Tech & Media team at Griffin Legal can assist, contact us today.