Cybersquatting continues to pose a significant threat to trademark holders, and especially those with strong brand recognition and reputation. Cybersquatters not only divert traffic from legitimate sites, but often leverage strong consumer goodwill in a particular mark to lure consumers into scams—everything from fake/pirated goods and services, to email impersonation fraud that solicits sensitive information. This creates very real risk not only to consumers, but also to brands whose reputation could be damaged irrevocably by association with these fraudulent acts, and must be addressed as expediently as possible.
But for those trademark holders with exceptionally strong brand reputation, quashing cybersquatting is rarely a matter of shutting down just one infringing domain. Many companies have to deal with hundreds—even thousands—of cybersquatted domains, and just as one is cut down, another crops up. How does a brand shut down this type of malicious activity with any degree of efficiency?
One of the most straightforward methods of addressing cybersquatting is through the Uniform Domain-Name Dispute-Resolution Policy (“UDRP”), which provides for streamlined dispute resolution before administrative panels. But while those streamlined procedures make the UDRP an efficient option for proceeding against a single domain name, they may prevent complainants from taking action against multiple domain names if the domain name registration (whois) records for the domain names do not unequivocally demonstrate common ownership. See, e.g., http://www.iprdaily.com/article/index/17054.html. Given the proliferation of domain privacy services, coupled with the concealment of registrant information by many registrars in response to GDPR concerns, it is becoming rare for a party to be able to show (at least at the complaint stage) who owns the domain name.
As a result, brand owners may be unable to bring a UDRP action against more than one domain as complaints against multiple domains are often refused by “case administrators” at UDRP service providers or even UDRP panelists. See, e.g., The Toronto-Dominion Bank v. Adams, Case No. FA2305002042638 (Forum June 5, 2023) (dismissing second domain name without prejudice based on finding that “allegations above do not necessarily indicate that the domain names are under common control”) (emphasis added). In the recent case of Fenix International Limited v. Bizwer , D2022-3002 (WIPO Oct. 27, 2022), a UDRP panel’s finding that there was “insufficient evidence to support a finding that common control exists” in relation to 14 domain names forced the Complainant to re-file multiple UDRP proceedings seeking to address the domain names. Considering that UDRP filing fees alone can be $1,500 USD or more per proceeding, and that properly filed UDRP complaints should include detailed legal arguments from counsel, trying to address multiple cybersquatted domains through the URDP can become a very expensive endeavor, very quickly.
For trademark holders seeking to address widespread cybersquatting, the Anti-Cybersquatting Consumer Protection Act, 15 U.S.C. § 1125(d) (“ACPA”), provides the best option. Not only does the ACPA allow a plaintiff to proceed against a domain name itself when the registrant is unknown or not subject to U.S. jurisdiction, but also civil actions under the ACPA are subject to the joinder provisions of the Federal Rules of Civil Procedure, which are far less restrictive than trending interpretations of the UDRP’s requirements regarding common ownership. And recent developments in case law in one of the most common ACPA jurisdictions have confirmed the viability of using the ACPA to pursue large, multi-domain actions.
The Eastern District of Virginia has been at the forefront of ACPA law, due to the ACPA’s venue provisions. Under 15 U.S.C. § 1125(d)(2)(C), an in rem action directly against a domain name may be brought in the judicial district where the “domain name registrar, registry, or other domain name authority that registered or assigned the domain is located.” The Eastern District of Virginia is home to the domain registries for .com, .net, and .org, and thus, the Eastern District is the natural first choice for an in rem action against any domain with one of these popular top-level domains. The judges in the Eastern District are well versed in the ACPA and are highly efficient in resolving in rem domain cases—even those with multiple domain names at issue.
U.S. federal court plaintiffs traditionally have been expected to demonstrate propriety of joinder of defendants under Federal Rule of Civil Procedure 20, which requires that the right to relief “aris[es] out of the same transaction, occurrence, or series of transactions or occurrences,” and that “any question of law or fact common to all defendants will arise in the action.” Of course, Rule 20 remains the safest method of demonstrating that an action is properly brought against multiple domain names at once, and a plaintiff should endeavor to demonstrate a common series of transactions raising common questions of fact or law. But where such a showing has not been made, at least some judges in the Eastern District of Virginia have chosen to employ the court’s discretion and authority under Rule 21 to allow an ACPA action to proceed anyway.
In LendingClub Bank v. LendingClub.com, the court considered a motion for default judgment in an in rem action against 150 domain names. No. 1:22-cv-0484 (AJT/JFA), 2023 WL 2584921 (E.D. Va. Feb. 27, 2023). The plaintiff argued that the domains were registered in the “same type of successive, illegal cybersquatting transactions,” but not that they arose from the same series of transactions and occurrences. Id. at *3 (emphasis added). The magistrate judge found that this allegation was insufficient to demonstrate joinder under Rule 20. Nonetheless, the magistrate judge chose to proceed to the merits of the claim, based on the court’s authority under Rule 21:
[T]he court has discretion to act sua sponte to, “on just terms, add or drop a party.” Previously, this court has found that any defects to joinder may be disregarded when the joinder does not affect any party's substantial rights. Here, none of the defaulting defendant domain names are prejudiced by joinder, as their liability is established by their own default, not the default of any other defendant domain name. As such, joinder does not affect any of defendant domain names’ substantive rights.
For this reason, the undersigned recommends a finding that this motion for default judgment against the 150 defendant domain names should proceed in this single action.
Id. at *4 (citations omitted). The district court judge later affirmed the magistrate judge’s report and recommendation, and default judgment was entered against the domain names notwithstanding the joinder defects. LendingClub Bank v. LendingClub.com, No. 1:22-cv-484 (AJT/JFA), 2023 WL 2581308 (E.D. Va. Mar. 20, 2023).
This decision, expanding upon past precedent to expressly apply Rule 21 where Rule 20’s joinder requirements had not been met, opens the door to broader ACPA claims: the defendant domain names selected for a particular action need not be as tightly tethered to a single timeframe or other facts that indicate a single series of transactions. In in rem cybersquatting actions, for which it is common for a defendant to default, Rule 21 provides a vehicle to pursue multiple domain names even if they do not apparently arise from a single series of transactions or occurrences.
This is not to say that a plaintiff should bring an action against a limitless number of unrelated domain names. A successful ACPA action requires carefully management of defendant domain names and outreach thereto, and an unwieldy case could quickly exhaust the court’s patience and inclination to exercise its discretion in the plaintiff’s favor. But this application of Rule 21 to large-scale cybersquatting actions renders well-managed in rem ACPA suits, and specifically suits brought in the Eastern District of Virginia, a very attractive option for entities battling an onslaught of cybersquatters.