WIPO Arbitration and Mediation Center

ADMINISTRATIVE PANEL DECISION

Equifax Inc. v. Robert Dow, Warpaint Resources LLC

Case No. D2017-1882

1. The Parties

The Complainant is Equifax Inc. of Atlanta, Georgia, United States of America ("United States" or "US"), represented by The GigaLaw Firm, Douglas M. Isenberg, Attorney at Law, LLC, United States.

The Respondent is Robert Dow, Warpaint Resources LLC of Frisco, Texas, United States, represented by Locke Lord LLP, United States.

2. The Domain Names and Registrars

This proceeding concerns 135 disputed domain names (the "Domain Names"), as follows:

<efxbreach.biz>, <efxbreach.club>, <efxbreach.co>, <efxbreach.info>, <efxbreach.life>, <efxbreach.me>, <efxbreach.mobi>, <efxbreach.online>, <efxbreach.org>, <efxbreach.store>, <efxbreach.today>, <efxbreach.website>, <efxbreach.xyz>, <efxhack.attorney>, <efxhack.biz>, <efxhack.club>, <efxhack.co>, <efxhack.info>, <efxhack.life>, <efxhack.me>, <efxhack.mobi>, <efxhack.online>, <efxhack.org>, <efxhack.store>, <efxhack.tips>, <efxhack.website>, <efxhack.xyz>, <efxlawsuit.attorney>, <efxlawsuit.com>, <efxlawsuit.info>, <efxlawsuit.net>, <efxlawsuit.org>, <efxsuit.attorney>, <efxsuit.info>, <efxsuit.online>, <efxsuit.org>, <equifaxbreach.attorney>, <equifaxbreach.club>, <equifaxbreach.co>, <equifaxbreach.email>, <equifaxbreach.guru>, <equifaxbreach.info>, <equifaxbreach.me>, <equifaxbreach.mobi>, <equifaxbreach.net>, <equifaxbreach.online>, <equifaxbreach.org>, <equifaxbreach.solutions>, <equifaxbreach.store>, <equifaxbreach.today>, <equifaxbreach.website>, <equifaxbreach.xyz>, <equifaxfuckedme.com>, <equifaxhack.attorney>, <equifaxhack.biz>, <equifaxhack.club>, <equifaxhack.co>, <equifaxhacked.attorney>, <equifaxhacked.me>, <equifaxhackedme.biz>, <equifaxhackedme.club>, <equifaxhackedme.co>, <equifaxhackedme.com>, <equifaxhackedme.email>, <equifaxhackedme.info>, <equifaxhackedme.me>, <equifaxhackedme.mobi>, <equifaxhackedme.net>, <equifaxhackedme.online>, <equifaxhackedme.org>, <equifaxhackedme.solutions>, <equifaxhackedme.store>, <equifaxhackedme.today>, <equifaxhackedme.website>, <equifaxhackedme.xyz>, <equifaxhackedus.com>, <equifaxhackeduse.com>, <equifaxhackedyou.com>, <equifaxhack.email>, <equifaxhack.info>, <equifaxhack.me>, <equifaxhack.mobi>, <equifaxhack.online>, <equifaxhack.org>, <equifaxhack.solutions>, <equifaxhack.store>, <equifaxhack.tips>, <equifaxhack.today>, <equifaxhack.website>, <equifaxhack.xyz>, <equifaxlawsuit.info>, <equifaxlawsuit.me>, <equifaxlawsuit.net>, <equifaxlawsuit.online>, <equifaxsuit.info>, <equifaxsuit.me>, <equifaxsuit.net>, <equifaxsuit.online>, <equifaxsuit.org>, <equifaxsuit.xyz>, <equihacks.attorney>, <equihacks.biz>, <equihacks.club>, <equihacks.co>, <equihacks.guru>, <equihacks.info>, <equihacks.life>, <equihacks.me>, <equihacks.mobi>, <equihacks.net>, <equihacks.online>, <equihacks.org>, <equihacks.store>, <equihacks.today>, <equihacks.vip>, <equihacks.website>, <equihacks.xyz>, <equihax.attorney>, <equihax.biz>, <equihax.club>, <equihax.co>, <equihax.company>, <equihax.info>,<equihax.life>, <equihax.me>, <equihax.mobi>, <equihax.online>, <equihax.org>, <equihax.rocks>, <equihax.solutions>, <equihax.store>, <equihax.today>, <equihax.website>, <equihax.work>, and <equihax.xyz>.

All of the Domain Names are registered with GoDaddy.com, LLC (the "Registrar").

3. Procedural History

The Complaint was filed with the WIPO Arbitration and Mediation Center (the "Center") on September 26, 2017. On September 27, 2017, the Center transmitted by email to the Registrar a request for registrar verification in connection with the Domain Names. On September 28, 2017, the Registrar transmitted by email to the Center its verification response confirming that the Respondent is listed as the registrant and providing the contact details.

The Center verified that the Complaint satisfied the formal requirements of the Uniform Domain Name Dispute Resolution Policy (the "Policy" or "UDRP"), the Rules for Uniform Domain Name Dispute Resolution Policy (the "Rules"), and the WIPO Supplemental Rules for Uniform Domain Name Dispute Resolution Policy (the "Supplemental Rules").

In accordance with the Rules, paragraphs 2 and 4, the Center formally notified the Respondent of the Complaint, and the proceedings commenced on October 4, 2017. In accordance with the Rules, paragraph 5, the due date for the Response was October 24, 2017. The Response was filed with the Center on October 24, 2017.

The Complainant submitted a Supplemental Filing on October 26, 2017, to which the Respondent objected and replied on October 31, 2017. The Center received an additional email communication from the Complainant on November 7, 2017.

The Center appointed W. Scott Blackmer as the sole panelist in this matter on November 8, 2017. The Panel finds that it was properly constituted. The Panel has submitted the Statement of Acceptance and Declaration of Impartiality and Independence, as required by the Center to ensure compliance with the Rules, paragraph 7.

4. Factual Background

The Complainant is a business corporation organized under the laws of the State of Georgia, United States, and headquartered in Atlanta, Georgia. Founded in 1899 as Retail Credit Company, the Complainant changed its name to Equifax in 1975 and is one of the "big three" US credit reporting agencies, with large subsidiaries in Canada, the United Kingdom of Great Britain and Northern Ireland ("United Kingdom"), and Brazil. In addition to consumer and business credit information services, the Complainant offers a range of information database management, marketing information, decision-making and analytical tools, and identity verification services, as well as fraud detection and prevention services and personal financial management offerings. The Complainant is listed on the New York Stock Exchange ("NYSE") and reports annual revenues in excess of USD 3 billion. The Complainant operates a principal website at "www.equifax.com".

The Complainant holds numerous trademark registrations in the US and other countries consisting of, or incorporating, EQUIFAX or the abbreviation EFX (which is also the Complainant's stock market "ticker" symbol on the NYSE). These include the following US standard-character trademark registrations:

TRADEMARK

REGISTRATION NUMBER

REGISTRATION DATE

EQUIFAX

1027544

December 16, 1975

EQUIFAX

1045574

August 3, 1976

EQUIFAX

1644585

May 14, 1991

EFX

3990312

July 5, 2011

EFX ID

3906451

January 18, 2011

On September 7, 2017, the Complainant announced a cybersecurity incident compromising consumer information in its databases and "potentially impacting approximately 143 million U.S. consumers", as well as hundreds of thousands of consumers in Canada and the United Kingdom. According to the announcement, a criminal attack on the Complainant's systems, over a period of months, extracted names, Social Security Numbers, birthdates, addresses, and in some cases driver's license numbers and credit card numbers. The Complainant's press release pointed to a dedicated website with information about the incident and the Complainant's offer of credit file monitoring and identity theft protection at "www.equifaxsecurity2017.com". The announcement of this security breach instantly attracted intense media attention in the US and abroad because of its scale and sensitivity.

The Respondent, a Texas limited liability company which, it appears, is normally engaged in the "acquisition, exploration, and development of oil and gas assets in the United States", registered the 135 Domain Names on September 8, 2017, the day after the Complainant announced the massive security breach. At the time of this Decision, however, none of the Domain Names is associated with a developed website relating to the security incident.

Many of the Domain Names resolve to a standard landing page generated by the Registrar, which is headed with the words, "Welcome to", followed by the Domain Name in question and the statement, "This Web page is parked for FREE, courtesy of GoDaddy.com." The landing page features advertising for the Registrar's domain registration services and includes a link inviting the owner of the Domain Name to purchase services to develop an associated website, as well as a link for those who might be interested in purchasing the Domain Name itself. In addition, the landing page displays pay-per-click ("PPC") "Related Links" to third-party advertisers, which the search software used by the Registrar has determined to be potentially relevant to the Domain Name. In the case of the Domain Names in this proceeding, the "Related Links" generated by the Registrar's ad servers include advertisers under such topics as "Data Breach", "Computer Security", "Legal", and "Privacy". Some of these advertisers are the Complainant's competitors. From a perusal of the Registrar's website, it appears that this form of "free parking" generates revenue for the Registrar but not for a domain name owner, who must pay to subscribe to a PPC program in order to share revenues with the Registrar.

The other Domain Names show slightly more attention by the Respondent to date, in that they are not parked by default to the Registrar's PPC landing page but rather to a landing page that must be selected by the Respondent. This landing page contains no advertising but merely the message, "website coming soon! Please check back soon to see if the site is available."

5. Parties' Contentions

A. Complainant

The Complainant asserts that the Domain Names are confusingly similar to its registered EQUIFAX and EFX trademarks and that the Respondent has no rights or legitimate interests in the Domain Names. The Complainant argues that the Respondent does not have permission to use the Complainant's marks, is not known by a name corresponding to any of the Domain Names, and has not shown demonstrable preparations to use the Domain Names for noncommercial, fair-use criticism websites nor in connection with a bona fide offering of goods or services within the meaning of the Policy.

The Complainant contends that the Respondent registered and used the Domain Names in bad faith, to solicit clients to sue the Complainant, misdirect Internet users for commercial gain, disrupt the Complainant's business, and prevent the Complainant from registering domain names relevant to the security incident.

B. Respondent

The Respondent argues that the Domain Names are not confusingly similar to the Complainant's marks, because Internet users are familiar with the "media firestorm" about the Complainant's data breach and would consider the Domain Names, with additional words such as "hack" and "lawsuit", to be critical and not associated with the Complainant.

The Respondent claims a legitimate interest in those Domain Names and denies that they were registered and used in bad faith. The Respondent states that it registered the Domain Names because it was retained by an attorney, Zachariah Eccleston, to "develop a communication strategy" for his law practice to provide information to consumers about the Complainant's data breach and regarding "the filing of individual and class-action lawsuits against Complainant." The Respondent claims a legitimate interest in using the Domain Names to provide such information to affected persons and market legal services to them in connection with potential litigation against the Complainant. The Respondent points out that this did not prevent the Complainant from registering a domain name dedicated to the security breach and communicating with consumers about the incident.

6. Discussion and Findings

Scandals spawn hashtags and disasters breed domain names. This UDRP proceeding addresses the question, when is it fair to use a trademark in domain names targeting people potentially injured by a highly-publicized incident involving the trademark owner?

Paragraph 4(a) of the Policy provides that in order to divest a respondent of a disputed domain name, a complainant must demonstrate each of the following:

(i) the disputed domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; and

(ii) the respondent has no rights or legitimate interests in respect of the disputed domain name; and

(iii) the disputed domain name has been registered and is being used in bad faith.

Under paragraph 15(a) of the Rules, "A Panel shall decide a complaint on the basis of the statements and documents submitted and in accordance with the Policy, these Rules and any rules and principles of law that it deems applicable."

A. Preliminary Issue: Supplemental Filings

Neither the Rules nor the Supplemental Rules make provision for supplemental filings, except at the request of the panel (see Rules, paragraph 12). Paragraph 10 of the Rules enjoins the panel to conduct the proceeding "with due expedition". Therefore, UDRP panels are typically reluctant to countenance delay through additional rounds of pleading and normally accept supplemental filings only in exceptional circumstances, typically to consider material new evidence or provide a fair opportunity to respond to arguments that could not reasonably have been anticipated. See WIPO Overview of WIPO Panel Views on Selected UDRP Questions, Third Edition ("WIPO Overview 3.0"), section 4.6.

The Panel accepts the Complainant's Supplemental Filing here, and the Respondent's reply, to the extent that they address the reason advanced in the Response for registering the 135 Domain Names: to market the services of a third party. As there are no developed websites associated with the Domain Names, this is information that was not previously available to the Complainant, and it is relevant to the Parties' arguments concerning the second and third elements of the Complaint.

B. Identical or Confusingly Similar

The first element of a UDRP complaint "serves essentially as a standing requirement" and entails "a straightforward visual or aural comparison of the trademark with the alphanumeric string in the domain name". See WIPO Overview 3.0, section 1.7.

The Respondent invites the Panel to examine the likelihood of actual confusion as to source or affiliation among US Internet users exposed to publicity about the recent data breach, asking whether such users are more likely to believe that the Complainant or an antagonist would use Domain Names using terms such as "hack", "breach", and "lawsuit". This is not an evaluation that is necessary, however, for purposes of the first element of the UDRP complaint. The concern for this phase of the UDRP proceeding is to establish whether a disputed domain name string is sufficiently similar to a trademark, i.e., is recognizable within the domain name, not whether users would dismiss potential confusion by a discerning eye (see WIPO Overview 3.0, section 1.7). Thus, even in UDRP proceedings involving openly critical domain names (e.g., in the pattern "trademarksucks.com"), panels overwhelmingly (although not necessarily uniformly) find confusing similarity under the first element and assess the negative impact of the domain name in the context of the second and third elements of the Complaint. See WIPO Overview 3.0, section 1.13.

The Respondent by its own admission selected Domain Names that were meant to refer to the Complainant and to appeal to consumers familiar both with the EQUIFAX and EFX trademarks and with the recent security breach following a computer hack of the Complainant's systems. The issue in this proceeding is not whether the Domain Names included the trademarks or cleverly relevant variations of them. They all did, as the Respondent intended. The issue is whether the Respondent had a right to do so, and that is a question for the inquiry into rights or legitimate interests and bad faith under the second and third elements of the Policy.

For the first element, the analysis is simpler: The Complainant indisputably holds registered EQUIFAX and EFX trademarks. Most of the Domain Names incorporate one or the other of these marks in their entirety. Several alter the mark EQUIFAX slightly to "equihax" or "equihacks", which look and sound similar to EQUIFAX and were meant to call to mind the recent criminal computer "hack" of the Complainant's computer systems, according to the Response. The addition of generic or descriptive words or phrases in the various Domain Names to the Complainant's distinctive and coined trademarks, or meaningful typographical variations thereof, does not avoid a finding of "confusion" for purposes of this element of the Policy.

While the Top-Level Domain ("TLD") is viewed as a standard registration requirement and generally disregarded as immaterial in UDRP proceedings, several of the Domain Names in this instance were registered in the ".attorney" TLD. The Respondent suggests that using the term "attorney" in the TLD helps distinguish those Domain Names from ones that the Complainant would be likely to sponsor. The Panel does not find this dispositive on the first element, however. In any event, the problem remains under the first element that each of these Domain Names includes a trademark of the Complainant, or a near variation of one, as intended.

The Panel concludes that the Domain Names are all confusingly similar to the Complainant's EQUIFAX or EFX marks, respectively, for the limited purposes of the first element of the Policy, giving the Complainant standing to proceed.

C. Rights or Legitimate Interests

Paragraph 4(c) of the Policy gives non-exclusive examples of instances in which the Respondent may establish rights or legitimate interests in any of the Domain Names, by demonstrating any of the following:

(i) before any notice to it of the dispute, the Respondent's use of, or demonstrable preparations to use, the Domain Name or a name corresponding to the Domain Name in connection with a bona fide offering of goods or services; or

(ii) that the Respondent has been commonly known by the Domain Name, even if it has acquired no trademark or service mark rights; or

(iii) the Respondent is making a legitimate noncommercial or fair use of the Domain Name, without intent for commercial gain to misleadingly divert consumers or to tarnish the trademark or service mark at issue.

Since a respondent in a UDRP proceeding is in the best position to assert rights or legitimate interests in a disputed domain name, it is well established that after a complainant makes a prima facie case, the burden of production to show rights or legitimate interests in the disputed domain name shifts to the respondent. See WIPO Overview 3.0, section 2.1.

Here, the Complainant has demonstrated trademark rights and confusing similarity, and the Complainant denies any association with the Respondent. The Respondent asserts its interest in using the Domain Names for one or more websites promoting the litigation services of Dallas, Texas attorney Zachariah Eccleston and his law firm to individuals affected by the Complainant's security breach who might be interested in suing the Complainant. The Response attaches an affidavit from Mr. Eccleston outlining his engagement of the Respondent to prepare a marketing strategy including websites, social media, and telephone communications and to provide general information about the Complainant's security breach incident. The Panel notes that while it appears Mr. Eccleston's practice historically emphasized oil and gas law, his firm's website at "www.helawfirm.com" now includes the words "Equifax Litigation", with no further elaboration. None of the Domain Names resolves to a developed website at the time of this decision. Nevertheless, the Panel accepts Mr. Eccleston's affidavit as evidence of preparations to develop "lawsuit marketing assets" including websites associated with "more than 150 domain names" (not all of which are involved in this UDRP proceeding), social media pages on Twitter, Facebook, Instagram, Snapchat, and Facebook, and two toll-free telephone numbers.

The Complainant questions whether using its trademarks for Domain Names associated with websites designed to promote litigation against the Complainant should be deemed a use "in connection with a bona fide offering of goods or services" within the meaning of the Policy, paragraph 4(c)(i) or a "fair use" under the Policy, paragraph 4(c)(iii). Other UDRP panels have concluded such use was not legitimate in the circumstances of those proceedings.

The Respondent distinguishes the facts in these and other cases cited by the Complainant and points to KBR, Inc. v. Jeffrey L. Raizner, NAF Claim No. 1413439 ("KBR"), where the panel found it appropriate for the respondent to use a trademark in the domain name to report on litigation against the complainant, including litigation in which the respondent's law firm was involved (and therefore commercially interested). The panel in that proceeding characterized the respondent's conduct as legitimate, nominative fair use of the trademark:

"Such use is protected both under paragraph 4(c)(iii) of the Policy and under the trademark laws of the United States of America, the country of residence of both Parties. Nominative use is present where the respondent needs to use the mark to describe its goods or services, uses no more of the mark than necessary, and does not falsely suggest sponsorship or endorsement by the mark owner."1

The KBR decision was cited with approval in a well-reasoned decision, Amylin Pharmaceuticals, Inc. v. Watts Guerra Craft LLP, WIPO Case No. D2012-0486 ("Amylin"), which similarly dealt with a trademark appearing in a domain name that was used for a lawyer's website soliciting clients for a lawsuit against the trademark owner. Given the facts in that proceeding, the panel found that the respondent met the standard for fair use under the Policy, paragraph 4(c)(iii), noting that what is forbidden by that clause is to "misleadingly divert customers" or "tarnish" the mark "for commercial gain". The Amylin panel decided that the disputed domain name was not "misleading" because the respondent used the mark only to the extent needed to refer to the subject of the litigation, and the associated website itself made it clear that it was not affiliated with the complainant. There was no "tarnishment" in the classic sense of associating the mark with unrelated, distasteful concepts such as violence, pornography, or illegal drugs. Having concluded that the respondent possessed a legitimate interest in the domain name, the panel rejected the argument that the respondent registered the domain name in bad faith, even though it was, arguably, briefly used in bad faith when it was temporarily parked at the registrar's PPC landing page (as are many of the Domain Names in the current proceeding).

Apart from advertising litigation services, as here, there are other contexts where UDRP respondents have claimed nominative fair use. These are often for noncommercial purposes such as criticism or fan sites, but also on occasion for the commercial purposes of resellers, distributors, repair and maintenance facilities, and value-added service providers. See WIPO Overview 3.0, sections 2.6, 2.7, and 2.8. UDRP panels have determined appropriate requirements to ensure fairness in those contexts, including accurately and prominently disclosing the respondent's relationship with the trademark holder and refraining from "cornering the market" on related domain names. Those conditions for ensuring fairness are instructive in the present context.

KBR and Amylin both found legitimate interests on the grounds of paragraph 4(c)(iii) of the Policy and did not discuss the question of whether using another's trademark in a domain name to solicit litigation clients can be a use "in connection with a bona fide offering of goods or services" under paragraph 4(c)(i) of the Policy. However, the concepts of fairness and good faith are closely related, and the examples of rights or legitimate interests listed in paragraph 4(c) of the Policy are not exclusive. Clearly, legal services are normally a lawful commercial offering, but deliberately using another's trademark to advertise them will only be considered bona fide for Policy purposes in circumstances that are usually elaborated more fully under the aegis of paragraph 4(c)(iii) of the Policy, to determine if there is "fair use" of the complainant's mark. That makes for a novel issue here, where none of the Respondent's websites have yet been developed. While paragraph 4(c)(i) of the Policy expressly contemplates that a respondent can demonstrate "preparations to use" a disputed domain name, paragraph 4(c)(iii) of the Policy refers only to a "use" of the domain name. But the illustrations in paragraph 4(c) of the Policy are not exhaustive, and the Panel considers that demonstrable preparations to make a legitimate, nominative fair use of the Domain Names could conceivably satisfy the requirement for establishing legitimate interests under the Policy. Mr. Eccleston's affidavit describes activities that appear to meet threshold expectations for "demonstrable preparations", such as a development agreement, strategic communications plans, social media and toll-free telephone orders, contacts with cooperating law firms, and changes to Mr. Eccleston's own website. See WIPO Overview 3.0, section 2.2. The preparations are very preliminary, but they are enough to support the account given in the Response.

Turning to the conditions for establishing nominative fair use under the Policy, the Respondent presents a plausible case for the necessity of using one of the standard-character marks in a domain name referring to the Complainant and the recent security incident. The trademarks are the same as the name of the Complainant and its ticker symbol; it is hard to refer to the Complainant without using one of these two marks. Displaying the Complainant's logo or a longer trademark would probably be inconsistent with the principle of minimization or economy (i.e., in keeping with the spirit of naming efficiency generally, and as far as fair use goes, using no more of the mark than is necessary). The claimed purpose for using the trademarks in the Domain Names is referential, and the Respondent limits its use of the trademarks to that purpose.

It might be questioned whether the sheer number of Domain Names here is consistent with the principle of referential or "fair" use, which insofar as "fairness" is concerned seems to presuppose some reasonable limitation not only as to "how" a mark is used, but also as to "how often", or whether it threatens to "corner the market" in relevant domain names, as UDRP panels have considered this in assessing nominative fair use in reseller scenarios. However, the same two marks are exposed across the range of Domain Names, and the effect of using multiple Domain Names is not unreasonably dissimilar to using multiple channels of advertising, which to the extent an analogy can be drawn, and all things being equal, is not forbidden. (The Complainant had already registered a domain name to use in connection with the security incident.) On the other hand, the reason for the Respondent's use of TLDs such as ".store", ".club", ".me", etc. is not readily apparent; rather the registrations seem almost random. Thus, there does not appear to be much to go on either way in terms of the Respondent dominating the market for all relevant domain names or, as alleged by the Complainant in connection with the issue of bad faith, attempting to deprive the Complainant of all relevant domain names.

In either event, having established a referential purpose for using trademarks in the Domain Names, the next steps in assessing overall fairness are to examine the nature of the Domain Names themselves and then to look at circumstances beyond the Domain Names (see WIPO Overview 3.0, sections 2.5.1 and 2.5.2). Domain Names incorporating trademarks carry a "high risk of implied affiliation" (id., section 2.5.1). Words added in the domain name, or content in the associated website, may either increase or avoid confusion as to source or affiliation.

While the Panel concluded that all of the Domain Names meet the confusing similarity requirement for purposes of establishing standing under the first element of the Policy, the standard is somewhat different in assessing the Respondent's claims of fair use for purposes of asserting a legitimate interest in the Domain Names. The question now (on the record before the Panel) is whether it is probable that these Domain Names "trigger an inference of affiliation" with the Complainant (WIPO Overview 3.0, section 2.1, 2.5.1).

One of the Domain Names very plainly does not: <equifaxfuckedme.com>. (See id., referring to "trademarksucks.com" cases.) Other Domain Names with accusatory phrases such as "hackedme", "hackedyou", or "hackedus" are unlikely to be seen as sponsored by the Complainant. While mindful that there may be different views on this point, in the Panel's view, it is also unlikely that the Complainant would use the word "hack" or "hacked" in a company-sponsored domain name, as that is a more colloquial term referring to being bested by computer hackers. It is also improbable that the Complainant would use derogatory wordplay such as "equihax" or "equihacks". Domain Names adding "lawsuit", "suit", or "attorney" (including ".attorney" as a generic Top-Level Domain) to the trademarks are almost self-evidently unlikely to be sponsored by the Complainant but might well be chosen by a law firm planning to sue the Complainant. These are all Domain Names that tend to communicate, on examination, that they are not affiliated with the Complainant.

By contrast, the Domain Names that incorporate one of the Complainant's trademarks in their entirety and add the word "breach" are likely to be confused as to source or sponsorship, especially as the Complainant itself has a domain name for information about this event. There are numerous US state and federal laws requiring organizations suffering security "breaches" to notify the affected persons. The US Federal Trade Commission web page concerning the Complainant's security incident is entitled, "The Equifax Data Breach: What to Do". Thus, in the Panel's view, in contrast to "hack", "breach" is a more neutral, descriptive term that might more plausibly be used either by the Complainant or by others. It is telling that the Complainant's own "Consumer Notice" at "www.equifaxsecurity2017.com" is labelled "Notice of Data Breach".

Beyond the Domain Names themselves, there are as yet no developed websites that can be examined for elements promoting or avoiding confusion (see WIPO Overview 3.0, section 2.5.2). The record includes only the Respondent's stated intentions and Mr. Eccleston's affidavit, so the Panel cannot examine an associated website or email use, for example, to investigate motivation or effects.

The Panel finds on this limited record and in particular as to the Respondent's claims made under oath as to its purposes that the Respondent has a legitimate, referential interest in most of the Domain Names, but that the Domain Names consisting simply of one of the Complainant's trademarks and the word "breach" are inherently likely to engender confusion as to source or affiliation, despite their potential referential value, with the exception of the Domain Name <equifaxbreach.attorney>, which consumers are likely to understand on its face as suggesting attorney services for those affected by the recent breach. As the Respondent has no shortage of Domain Names to use for providing information about the security incident and marketing related legal services, the Panel sees no hardship in obliging the Respondent to relinquish those Domain Names that are most likely to "misleadingly divert consumers … for commercial gain" which goes beyond mere referential use. Accordingly, the Panel finds that the Respondent has no rights or legitimate interests in the following 28 Domain Names:

<efxbreach.biz>
<efxbreach.club>
<efxbreach.co>
<efxbreach.info>
<efxbreach.life>
<efxbreach.me>
<efxbreach.mobi>
<efxbreach.online>
<efxbreach.org>
<efxbreach.store>
<efxbreach.today>
<efxbreach.website>
<efxbreach.xyz>
<equifaxbreach.club>
<equifaxbreach.co>
<equifaxbreach.email>
<equifaxbreach.guru>
<equifaxbreach.info>
<equifaxbreach.me>
<equifaxbreach.mobi>
<equifaxbreach.net>
<equifaxbreach.online>
<equifaxbreach.org>
<equifaxbreach.solutions>
<equifaxbreach.store>
<equifaxbreach.today>
<equifaxbreach.website>
<equifaxbreach.xyz> (collectively, the "28 Domain Names").

The Panel observes that the Respondent is standing on rather thin ice even with respect to the Domain Names that appear on their face less likely to be associated with the Complainant. This is because the Respondent has not yet published a single website comporting to its stated purpose and barely meets the standard for proving demonstrable preparations for a kind of bona fide or fair use that will require considerable care to keep within the bounds of paragraph 4(c) of the Policy. Meanwhile, many of the Domain Names resolve to PPC landing sites that appear to have been exploiting the Complainant's trademarks, evidently to the Registrar's gain, for roughly two months. The panel in Amylin accepted a "brief" two-month exploitation by the same registrar, where the respondent replaced the default PPC landing pages before the UDRP complaint was filed. If the Respondent here allows this situation to continue, however, or converts it to a PPC program benefitting the Respondent, it must know that this will cast doubt on its stated intentions for the Domain Names. The Respondent should be aware in this respect that the Complainant is not prevented from refiling a UDRP complaint (or, indeed, from filing a trademark infringement or similar legal action) if the Respondent fails to make timely bone fide or fair use of the Domain Names or otherwise establish a legitimate basis for maintaining them.

D. Registered and Used in Bad Faith

The Policy, paragraph 4(b), furnishes a non-exhaustive list of circumstances that "shall be evidence of the registration and use of a domain name in bad faith", including the following (in which "you" refers to the registrant of the domain name):

(i) circumstances indicating that you have registered or you have acquired the domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration to the complainant who is the owner of the trademark or service mark or to a competitor of that complainant, for valuable consideration in excess of your documented out-of-pocket costs directly related to the domain name; or

(ii) you have registered the domain name in order to prevent the owner of the trademark or service mark from reflecting the mark in a corresponding domain name, provided that you have engaged in a pattern of such conduct; or

(iii) you have registered the domain name primarily for the purpose of disrupting the business of a competitor; or

(iv) by using the domain name, you have intentionally attempted to attract, for commercial gain, Internet users to your web site or other online location, by creating a likelihood of confusion with the complainant's mark as to the source, sponsorship, affiliation, or endorsement of your website or location or of a product or service on your website or location.

The ruling on the second element of the Complaint is effectively dispositive of the Complaint against 107 of the Domain Names in this proceeding.

For the remaining 28 Domain Names, those that consist of a trademark plus the word "breach" (with the exception of the Domain Name <equifaxbreach.attorney>, as explained above), the record does not indicate that the Domain Names were registered "primarily" to sell them to the Complainant for an exorbitant price (there is no evidence of such an attempt), expressly to deprive the Complainant of corresponding domain names, or to disrupt the Complainant's business (the evidence shows that the Respondent is not a competitor and has its own business plan).

The apposite instance is paragraph 4(b)(iv). By the Respondent's own admission, the 28 Domain Names are meant to be used for commercial gain, and they are likely to misdirect Internet users in the first instance, each incorporating one of the Complainant's trademarks in its entirety and adding the descriptive word "breach", which the Complainant itself uses publicly in connection with the recent security incident, with no other distinguishing words or phrases. Some of the 28 Domain Names are currently parked at PPC advertising portals, as discussed above, while others resolve to the "website coming soon!" message. Both trademarks are well-known, distinctive, coined terms, and the 28 Domain Names are inherently misleading for the reasons described above in connection with rejecting the Respondent's claim for legitimate interests in the 28 Domain Names. Accordingly, the Panel finds it appropriate to apply the "passive holding" doctrine even before the Respondent has fully realized its stated plans for the 28 Domain Names (indeed it would take a mere modicum of effort, e.g., to redirect those domain names to Mr. Eccleston's site) to find bad faith in the registration and use of the 28 Domain Names. See WIPO Overview 3.0, section 3.3. The Panel simply does not see how the Respondent can do so without the likelihood of misleading users for the Respondent's commercial gain – and the Respondent has many alternative Domain Names to achieve its commercial aims with less likelihood of confusion.

As for the 107 Domain Names for which the Panel found legitimate interests based on the nature of the Domain Names and the Respondent's preparations for use: the Panel's conclusions on legitimate interests and, indeed, inferences on good faith could be revisited in a refiled complaint if the Respondent's future conduct in publishing websites associated with the Domain Names do not comport with the stated rationale underlying the finding of legitimate interests. The Panel observes, for example, that bad faith could be found in allowing the Registrar to park the Domain Names at PPC landing sites. While it may be routine for certain registrars to park undeveloped domain names to a landing page with PPC advertising links, where the domain name owners do not share in the advertising revenues, this nevertheless represents a misleading use of a domain name that is confusingly similar to a trademark for commercial gain, even if not the Respondent's. Under the ICANN-mandated standard terms of domain name registration agreements, domain name owners remain responsible for ensuring that their domain names are not used in a manner that infringes the rights of others. As in Amylin, the Panel hesitates here to find bad faith in a case where the registrar parks domain names by default, before a new domain name owner takes action to redirect the domain name, replace the landing page with a "coming soon" notice, or display other content; of course, central to applying this rationale here is the Respondent's representations under oath as to its future plans. But allowing domain names that incorporate or mimic another party's trademarks to be used for monetized PPC landing pages indefinitely is irresponsible, unfair to the trademark owner, and inconsistent with the Respondent's obligations under the registration agreement. Were the Respondent to allow this practice to continue, it would call into question the Respondent's good faith in the registration and use of the Domain Names.

7. Decision

For the foregoing reasons, in accordance with paragraphs 4(i) of the Policy and 15 of the Rules, the Panel orders that the following 28 Domain Names be transferred to the Complainant:

<efxbreach.biz>
<efxbreach.club>
<efxbreach.co>
<efxbreach.info>
<efxbreach.life>
<efxbreach.me>
<efxbreach.mobi>
<efxbreach.online>
<efxbreach.org>
<efxbreach.store>
<efxbreach.today>
<efxbreach.website>
<efxbreach.xyz>
<equifaxbreach.club>
<equifaxbreach.co>
<equifaxbreach.email>
<equifaxbreach.guru>
<equifaxbreach.info>
<equifaxbreach.me>
<equifaxbreach.mobi>
<equifaxbreach.net>
<equifaxbreach.online>
<equifaxbreach.org>
<equifaxbreach.solutions>
<equifaxbreach.store>
<equifaxbreach.today>
<equifaxbreach.website>
<equifaxbreach.xyz>.

For the foregoing reasons, the Complaint is denied with respect to the following 107 Domain Names:

<efxhack.attorney>
<efxhack.biz>
<efxhack.club>
<efxhack.co>
<efxhack.info>
<efxhack.life>
<efxhack.me>
<efxhack.mobi>
<efxhack.online>
<efxhack.org>
<efxhack.store>
<efxhack.tips>
<efxhack.website>
<efxhack.xyz>
<efxlawsuit.attorney>
<efxlawsuit.com>
<efxlawsuit.info>
<efxlawsuit.net>
<efxlawsuit.org>
<efxsuit.attorney>
<efxsuit.info>
<efxsuit.online>
<efxsuit.org>
<equifaxbreach.attorney>
<equifaxfuckedme.com>
<equifaxhack.attorney>
<equifaxhack.biz>
<equifaxhack.club>
<equifaxhack.co>
<equifaxhacked.attorney>
<equifaxhacked.me>
<equifaxhackedme.biz>
<equifaxhackedme.club>
<equifaxhackedme.co>
<equifaxhackedme.com>
<equifaxhackedme.email>
<equifaxhackedme.info>
<equifaxhackedme.me>
<equifaxhackedme.mobi>
<equifaxhackedme.net>
<equifaxhackedme.online>
<equifaxhackedme.org>
<equifaxhackedme.solutions>
<equifaxhackedme.store>
<equifaxhackedme.today>
<equifaxhackedme.website>
<equifaxhackedme.xyz>
<equifaxhackedus.com>
<equifaxhackeduse.com>
<equifaxhackedyou.com>
<equifaxhack.email>
<equifaxhack.info>
<equifaxhack.me>
<equifaxhack.mobi>
<equifaxhack.online>
<equifaxhack.org>
<equifaxhack.solutions>
<equifaxhack.store>
<equifaxhack.tips>
<equifaxhack.today>
<equifaxhack.website>
<equifaxhack.xyz>
<equifaxlawsuit.info>
<equifaxlawsuit.me>
<equifaxlawsuit.net>
<equifaxlawsuit.online>
<equifaxsuit.info>
<equifaxsuit.me>
<equifaxsuit.net>
<equifaxsuit.online>
<equifaxsuit.org>
<equifaxsuit.xyz>
<equihacks.attorney>
<equihacks.biz>
<equihacks.club>
<equihacks.co>
<equihacks.guru>
<equihacks.info>
<equihacks.life>
<equihacks.me>
<equihacks.mobi>
<equihacks.net>
<equihacks.online>
<equihacks.org>
<equihacks.store>
<equihacks.today>
<equihacks.vip>
<equihacks.website>
<equihacks.xyz>
<equihax.attorney>
<equihax.biz>
<equihax.club>
<equihax.co>
<equihax.company>
<equihax.info>
<equihax.life>
<equihax.me>
<equihax.mobi>
<equihax.online>
<equihax.org>
<equihax.rocks>
<equihax.solutions>
<equihax.store>
<equihax.today>
<equihax.website>
<equihax.work>
<equihax.xyz>.

Because the Respondent has not yet published developed websites associated with any of the Domain Names, and the Decision depends largely on the Respondent's stated intentions and the Affidavit of Mr. Eccleston concerning preparations to use the Domain Names, the Panel takes the unusual step of entering this Decision expressly without prejudice to the refiling of a Complaint concerning any or all of the 107 Domain Names for which the Complaint is denied (a) after associated websites are published or (b) to the extent that any of the Domain Names continue to be used for third-party advertising landing pages after a reasonable transition period.

W. Scott Blackmer
Sole Panelist
Date: December 5, 2017

1 This analysis is consistent with the approach taken under US trademark law by the US Ninth Circuit Court of Appeals in New Kids on the Block v. News America Publishing, Inc., 971 F. 2d 302 (9th Cir. 1992) and Playboy Enterprises, Inc. v. Welles, 279 F. 3d 796 (9th Cir. 2002), which permits "nominative use" (a kind of fair use) of a trademark where (1) the product or service cannot be readily identified without using the trademark, (2) only so much of the mark is used as is reasonably necessary, and (3) the user does nothing to suggest sponsorship or endorsement by the trademark holder. Under the Rules, paragraph 15, the Panel finds it appropriate to refer to US trademark law in this proceeding, as in KBR, where both parties are located in the US.