COVID-19: Phishing is up since the beginning of the Coronavirus crisis began. Companies can file a straightforward action to stop fraudsters using domain names similar to the company’s trademark.
Related blog post: How companies can use their trademarks to combat COVID-19-related phishing
There are a number of things software providers can be doing right now to reduce problems with customers in the coming weeks and months.
Please like and subscribe and leave a comment. Thanks!
Straightforward out-of-court domain name proceeding can provide efficient relief against fraudulent websites and email.
Google has seen a steep rise amid the Coronavirus pandemic in new websites set up to engage in phishing (i.e. fraudulent attempts to obtain sensitive information such as usernames, passwords and financial details). Companies in all industries – not just the financial sector – are at risk from this nefarious practice. But one relatively simple out-of-court proceeding may provide relief.
Varieties of Phish Species
Phishing schemes can take a variety of forms. A fraudster may register a domain name similar to the company’s legitimate domain name and use it to send email messages to the company’s customers, requesting payment and providing wire instructions. Distracted or untrained customers who receive the email may unwittingly wire funds as instructed in the fraudulent email to an account owned by the criminal. Or the phishing party may set up a legitimate looking but fake website at a domain name similar to the company’s legitimate domain name, and direct users there to purportedly log in, thereby disclosing their usernames, passwords, and perhaps additional sensitive information.
Taking Sites Down with the UDRP
Everyone who registers a domain has to agree, by contract, to have disputes over the domain name’s ownership resolved through an administrative proceeding (similar to arbitration). The Uniform Domain Name Dispute Resolution Policy (UDRP) governs disputes over .com, .net, .org and many other domain name registrations. The World Intellectual Property Organization (WIPO) provides administrative panels who decide disputes under the UDRP. These are decided “on the papers” with each party having the opportunity to submit arguments and supporting documentation. The time and expense of a UDRP proceeding is a small fraction of what one sees in typical litigation – UDRP cases usually conclude within weeks, and generally cost a few thousand dollars.
The UDRP Frowns Upon Phishing
To be successful in bringing a UDRP proceeding, a party has to prove (1) that it owns a trademark that is identical or confusingly similar to the disputed domain name, (2) that the party that registered the disputed domain name has no rights or legitimate interests in the disputed domain name, and (3) that the disputed domain name was registered and has been used in bad faith.
UDRP panels typically show little tolerance for blatant phishing efforts. Companies bringing UDRP actions against registrants of domain names registered for phishing purposes enjoy a high rate of success. A good phishing effort (that is, “good” in the sense that the fake domain name succeeds in deceiving) will require using words similar to the company’s mark. So the first element is usually a low hurdle. On the second and third elements, UDRP panels are readily persuaded that a party using a disputed domain name for phishing gains no rights or legitimate interests, and demonstrates clear bad faith. “Using the disputed domain name to send fraudulent email is a strong example of bad faith under the [UDRP].” Samaritan’s Purse v. Domains By Proxy, LLC / Christopher Orientale NA, WIPO Case No. D2019-2403
Early action now on possible performance issues will “flatten the curve” of customer problems in the coming weeks and months.
Here are three things technology and software vendors can do right now to get ahead of problems that may appear (if they are not already) with services such as development, implementation and support:
Learn from IBM: Do what is required when there are failures of material assumptions.
In 2006, the State of Indiana signed a $1.3 billion contract with IBM to revamp the technology of the State’s welfare system. The economy went south in 2008. In the complicated breach of contract litigation that followed, IBM argued, among other things, that the economic downturn resulted in the failure of one of the material assumptions of the agreement. IBM urged the court to consider that failure of assumption when deciding whether IBM had materially breached its contract to develop and deploy the system.
The Indiana supreme court rejected IBM’s arguments. Why? Not because the economic downturn was not a failure of a material assumption. (It might have been.) Indeed, the contract specifically said that one of the parties’ material assumptions was that the economy would not take a downturn. But IBM did not do what the contract required in light of the downturn – it did not submit a change order request in response to the failure of the assumption, as the contract required.
Change orders anyway?
Even if your contract does not contain material assumptions, it may contain a procedure for procuring change orders. Parties include change order provisions so that they have an organized pathway for making changes to the scope, timing or pricing when circumstances – whether dramatic or trivial – change while the contract is being performed. Vendors should consider whether a simple change to the parties’ obligations can be made now to reduce bigger problems later. It is better for a ship to correct its course early in the journey rather than after many weary days at sea.
And from a practical, customer-focused perspective, the discussions around possible change orders gives a vendor the opportunity to communicate with its customer. This gives the vendor the chance to assure the customer that services are safe in the long run, and can work to build trust and goodwill that will be key in the further development and collaboration that is going to happen in the technology space once this COVID-19 episode has come to a close.
Force majeure notice – it is critically important
In the litigation against the state of Indiana, IBM also claimed that severe flooding in the state in 2008 was a force majeure event that excused IBM’s performance. Again, as with the argument for failure of material assumption, IBM did not do what it was required to do under the terms of the contract to avail itself of this excuse in performance.
The court found that force majeure did not apply because IBM did not give appropriate notice as required under the agreement. This highlights a critical takeaway – if a vendor sees an upcoming need to claim that it cannot perform due to some circumstance arising from causes outside its control, it is better to place the customer on notice of that fact sooner rather than later.
So, here are the key questions to ask right now:
Being proactive now, in the early stages of the COVID-19 crisis, will – just as in the epidemiological context – flatten the curve of problems later.
State of Indiana v. IBM Corp., 51 N.E.3d 150 (Ind. 2016)
Changing market and other economic situations will no doubt put many parties in the situation of not being able to perform under the contracts they’ve entered into. Below is a brief video outlining the doctrines of:
During this lockdown I hope to generate more content like this. Please like and subscribe! Thanks.
Amazon.com scored a Ninth Circuit win on Section 230 grounds when the court affirmed the lower court’s summary judgment against a pro se plaintiff’s claim against Amazon for tortious interference with prospective and actual business relations, and interference with an economic advantage. The claim apparently arose out of a third party posting a review on Amazon that plaintiff did not like. Citing to Barnes v. Yahoo!, Inc., 570 F.3d 1096 (9th Cir. 2009), the court observed that the Communications Decency Act (at Section 230(c)(1)) provides immunity from liability if a claim “inherently requires the court to treat the defendant as the ‘publisher or speaker’ of content provided by another.” Plaintiff had failed to raise a genuine dispute of material fact as to whether Amazon was not a publisher or speaker of content within the meaning of Section 230.
Sen v. Amazon.com, 2020 WL 708701 (9th Cir. February 12, 2020)
If customers use your website or online service or app, you need to have enforceable terms and conditions. That way, if there is some dispute, you can control over how it’s resolved,. You can also contain the costs by putting an arbitration clause in the terms and conditions. Instead of an expensive lawsuit, you can resolve it in arbitration which is often less expensive, quicker, and more private.
For terms and conditions to be enforceable, one must prove that the customer actually agreed to them. You’d be surprised how often companies find themselves in the expensive hassle of fighting over whether their terms are enforceable, then finding out they’re not. This can cause them to miss out on the cost savings and efficiency of arbitration.
This happened just just this week. A federal court of appeals ruled that an app developer didn’t structure the interface in a way to put users on notice of the terms. So since the developer couldn’t prove the users saw the terms, the case will proceed in court instead of arbitration.
And perhaps even worse, the case will probably move forward as a class action. Had the terms been enforceable, it would probably have just been limited to one-on-one lawsuits. That would have been much better for the developer.
If you’d like to discuss your terms and conditions, drop me a line or give me a call.
See also: Browsewrap enforceable: hyperlinked terms on defendant’s website gave reasonable notice
Benson v. Double Down Interactive, LLC, 2020 WL 468422 (9th Cir. January 29, 2020)
About the author:Evan Brown is a technology and intellectual property attorney in Chicago. Follow him on Twitter and Instagram, connect on LinkedIn and subscribe to his YouTube channel for videos on interesting topics about law and technology.
A recent federal case from Virginia provides information on the types of “losses” that are actionable under the federal anti-hacking statute, the Computer Fraud and Abuse Act (“CFAA”).
Underlying facts
Plaintiff worked as a campaign manager, communications director and private sector employee of a Virginia state legislator. While plaintiff was in the hospital, defendant allegedly, without authorization, accessed plaintiff’s Facebook, Gmail and Google Docs accounts, and tried to access her Wells Fargo online account.
Plaintiff’s lawsuit
Plaintiff sued, alleging a number of claims, among them a claim for violation of the CFAA. Defendant moved to dismiss. Although the court denied the motion to dismiss on other grounds, it held that plaintiff’s alleged emotional distress was not the type of “loss” that is actionable under the CFAA.
Loss under the CFAA
One can bring a civil action under the CFAA if the defendant’s alleged conduct involves certain factors. One of those factors, set out at 18 U.S.C. § 1030(c)(4)(A)(i)(II), provides recovery if there is “the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals”.
Plaintiff alleged that defendant’s unauthorized access and attempted access to her accounts caused her to sustain a “loss” under this definition because it caused her to suffer emotional distress for which she needed to seek counseling.
The court disagreed with plaintiff’s assertions. Essentially, the court held, the modification of or impairment of a plaintiff’s treatment must be based on impairment due to the ability to access or used deleted or corrupted medical records. As an example – this was not in the court’s opinion but is provided by the author of this post – one might be able to state a claim if, for example, medical records were modified by a hacker to change prescription information. Further, the court held, to recover under the relevant provision of the CFAA, a defendant’s violation must modify or impair an individual’s medical treatment as it already exists, not merely cause the plaintiff mental pain and suffering that requires additional care.
Hains v. Adams, 2019 WL 5929259 (E.D. Virginia, November 12, 2019)
Case underscores reason why companies using independent contractors should consider negotiating provisions that require those independent contractors to indemnify the company in the event of third party intellectual property claims.
Plaintiff’s claims
Plaintiff photographer sued a real estate brokerage firm and the firm’s independent agent who published on her brokerage-branded website one of plaintiff’s photos without authorization. Plaintiff asserted a direct infringement claim against the agent, and a vicarious infringement claim against the brokerage. Defendant brokerage firm moved to dismiss for failure to state a claim. The court denied the motion.
Elements of vicarious copyright infringement
To state a claim for vicarious copyright infringement, in addition to stating a claim for direct infringement by the agent, the plaintiff had to successfully plead that the brokerage (1) had a direct financial interest in the appearance of the infringing photo on its agent’s website, and (2) had the right and ability to supervise the infringing activity.
The court’s decision
On the first element of vicarious copyright infringement, the court found that plaintiff adequately alleged that defendant brokerage had a direct financial interest in defendant agent’s use of the photo on her website. Defendant agent was defendant brokerage’s sponsored agent, and it was plausible that her use of the photo to enhance the appeal of her website provided both defendant agent and defendant brokerage with a direct financial benefit in the form of increased business.
As for the second element – right and ability to supervise – the court found that plaintiff’s undisputed allegation that defendant agent was a licensed real estate agent under defendant brokerage’s sponsorship, coupled with defendant brokerage’s statutory obligation to supervise defendant agent’s actions, were sufficient to state a plausible claim that defendant brokerage had the right and ability to supervise defendant agent’s infringing activity.
The parties disputed the level of supervision and control that defendant brokerage had, and the “right and ability” to exercise control over defendant agent’s activity on her website.
Plaintiff asserted that the website was one published by the defendant brokerage, while the defendant brokerage disclaimed all responsibility for the website. Yet regardless of which party actually exercised direct control over the website, the fact remained – in the court’s view – that defendant agent carried out the alleged copyright infringement on the website under the auspices of defendant brokerage’s sponsorship, and defendant brokerage had a statutory obligation to supervise her conduct as a sponsored agent.
Moreover, although defendant agent could hypothetically continue her alleged infringement in a different setting were defendant brokerage to terminate her sponsorship, the undisputed fact that defendant brokerage could have terminated her sponsorship lent further support to the inference that defendant brokerage had the right and ability to supervise defendant agent’s infringing acts.
Stross v. PR Advisors, LLC, 2019 WL 5697225 (N.D. Tex. October 31, 2019)
Plaintiffs provide “verification and security services for blockchain-based cryptocurrencies.” Grant County, Washington decided to charge plaintiffs and others in “evolving industries” more for electricity. Plaintiffs sued and tried to get an injunction against the rate increase.
The lower court denied the preliminary injunction. Plaintiffs sought review with the Ninth Circuit. On appeal, the court affirmed the denial of the preliminary injunction.
It held that simple monetary harm would not constitute an immediate threat of irreparable harm that would be appropriately remedied by an injunction. Although a legitimate threat that a company might face bankruptcy or be driven out of business may constitute irreparable harm, in this case, plaintiffs failed to introduce competent evidence that they would be driven out of business because of the increased rates.
Blocktree Propterties, LLC. v. Pub. Utility Dist. No. 2 of Grant County, 2019 WL 5704281 (9th Cir. November 5, 2019)
