We have seen a lot of domain theft cases lately. Let me say that again. We have seen a LOT of domain theft cases lately. In the typical scenario, a hacker will often identify, by performing a reverse WHOIS search, an individual or company with a large and valuable domain name portfolio. The hacker will then identify the email address associated with that portfolio, either brute force or social engineer the password for the registrant’s email address account through a variety of nefarious means, and then obtain control over the registrant’s email account and use that account to transfer the domain names away to a foreign, and often uncooperative, registrar.
Often, the domain names within the registrant’s portfolio represent millions of dollars. In those cases, where it makes financial sense to file a lawsuit, we will get a call and, often six to twelve months later and after numerous arguments with the registrar and/or the registry, the registrant will re-obtain control over the domain names. But there is a very simple step that registrars could take, and many find too costly to take, to prevent against this scenario, which is not going away.
Two factor authentication requires a registrant to provide two forms of authentication before allowing the registrant (or the thief) to transfer domain names away from the registrant’s account or take any other action that could potentially be detrimental to the registrant’s rights. It requires confirmation of identity through two means, which typically consist of something that the user possesses, such as a USB encryption key dongle or a phone number, something that the user knows, such as a password, or something that is inseparable from the user, such as a fingerprint. Many registrars have been reluctant to implement two factor authentication and cite cost as a factor; additional authentication methods may require the purchase of additional software or the hiring of additional personnel.
But registrars that do not implement two factor authentication may risk subjecting themselves to a negligence lawsuit under case law that every American law student reads in law school. In The T.J. Hooper, esteemed jurist Learned Hand examined whether a tugboat company should be held liable for negligence for failing to implement a radio as a safety mechanism. During a large storm, the T.J. Hooper, a cargo vessel, sunk, destroying cargo owned by the plaintiff. The plaintiff sued, alleging that the owner of the barge should be held liable for negligence for failing to equip the tugboat with a radio, which would have warned the captain of bad weather. Judge Learned Hand found the T.J. Hooper’s owner liable because he failed to act with due care in failing to install a radio, despite the fact that “everybody’s doing it.” In so ruling, Learned Hand noted, “There are precautions so imperative that even their universal disregard will not excuse their omission.” In re Eastern Transportation Co. (The T.J. Hooper), 60 F.2d 737 (2nd Cir. 1932).
And the same may be true for registrars. Even though many registrars have failed to implement two factor authentication, and though many have only done so for their high net worth clients, there are some precautions that are so imperative to the protection of their consumer’s property rights that even universal disregard will not excuse their omission.
In May 2024, Minnesota enacted the Minnesota Consumer Data Privacy Act (“MCDPA”). In Part One of this two-part article, the Consumer Data Protection Attorneys at Revision Legal discussed the consumer rights and consumer-facing business obligations imposed by the MCDPA, including additional consumer rights related to automated decisions that utilize profiling data. The MCDPA allows consumers […]
Under most circumstances, the experienced Business Lawyers at Revision Legal deem it prudent for clients to operate their businesses through a corporate entity like a standard corporation or a limited liability company. Of course, there are some circumstances where a partnership of some type might be the better option, but it would be a rare […]
In May 2024, Minnesota enacted a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). About 20 States have enacted consumer data privacy statutes similar to the MCDPA, and the MCDPA follows the general template of those statutes. However, there are some unique and additional features of the MCDPA that are very […]
