DECISION

 

Capital One Financial Corp. v. AWT / Joe M

Claim Number: FA1908001855882

 

PARTIES

Complainant is Capital One Financial Corp. (sometimes referred to herein as the “Complainant”), represented by John Gary Maynard, Virginia, USA.  Respondent is AWT / Joe M (“Respondent”), Georgia, USA.

 

REGISTRAR AND DISPUTED DOMAIN NAME

The domain name at issue is <capitalonedatabreach.com>, registered with eNom, LLC (sometimes referred to herein as the “Disputed Domain Name”).

 

PANEL

The undersigned certifies that he has acted independently and impartially and to the best of his knowledge has no known conflict in serving as Panelist in this proceeding.

 

Kendall C. Reed as Panelist.

 

PROCEDURAL HISTORY

Complainant submitted a Complaint to the Forum electronically on August 6, 2019; the Forum received payment on August 6, 2019.

 

On August 6, 2019, eNom, LLC confirmed by e-mail to the Forum that the <capitalonedatabreach.com> domain name is registered with eNom, LLC and that Respondent is the current registrant of the name.  eNom, LLC has verified that Respondent is bound by the eNom, LLC registration agreement and has thereby agreed to resolve domain disputes brought by third parties in accordance with ICANN’s Uniform Domain Name Dispute Resolution Policy (the “Policy”).

 

On August 9, 2019, the Forum served the Complaint and all Annexes, including a Written Notice of the Complaint, setting a deadline of August 29, 2019 by which Respondent could file a Response to the Complaint, via e-mail to all entities and persons listed on Respondent’s registration as technical, administrative, and billing contacts, and to postmaster@capitalonedatabreach.com.  Also, on August 9, 2019, the Written Notice of the Complaint, notifying Respondent of the e-mail addresses served and the deadline for a Response, was transmitted to Respondent via post and fax, to all entities and persons listed on Respondent’s registration as technical, administrative and billing contacts.

 

A timely Response was received and determined to be complete on August 19, 2019.

 

A timely Additional Submission was filed by Complainant on August 26, 2019.

 

On August 21, 2019, pursuant to Complainant's request to have the dispute decided by a single-member Panel, the Forum appointed Kendall C. Reed as Panelist.

 

Having reviewed the communications records, the Administrative Panel (the "Panel") finds that the Forum has discharged its responsibility under Paragraph 2(a) of the Rules for Uniform Domain Name Dispute Resolution Policy (the "Rules") "to employ reasonably available means calculated to achieve actual notice to Respondent" through submission of Electronic and Written Notices, as defined in Rule 1 and Rule 2.

 

RELIEF SOUGHT

Complainant requests that the Disputed Domain Name be transferred from Respondent to Complainant.

 

PARTIES' CONTENTIONS

A. Complainant

Complainant is a major financial institution headquartered in McLean, Virginia. It was founded in 1980 and has used the mark CAPITAL ONE since the company began. Complainant or its subsidiaries own over 100 trademark registrations or applications all over the world, including United States registration 3442400, issued June 3, 2005, for the mark CAPITAL ONE (the “Complainant’s Mark”).

 

The Dispute Domain Name is confusingly similar to the Complainant’s Mark because it was registered within hours after Complainant recently announced that it had suffered a cyber incident affecting more than 100 million customers. This fact alone establishes that Respondent attempted to create an association with the Complainant and Complaint’s Mark. 

 

Additionally, the Disputed Domain Name includes the entirety of Complainant’s Mark and merely adds a top-level domain and the generic or descriptive terms “data” and “breach,” all of which are insufficient to obviate confusing similarity. In fact, these generic terms actually exacerbates the confusion by suggesting the services offered by Complainant. 

 

Respondent should not be considered as having rights or legitimate interests in the Disputed Domain Name for the following reasons.  First, the Whois record does not support the conclusion that Respondent is commonly known by the Disputed Domain Name. Second, Complainant has not authorized Respondent to use Complainant’s Mark. And third, Respondent is not using the Disputed Domain Name; it resolves to a page that states: “This site can’t be reached - The webpage at http://capitalonedatabreach.com/ might be temporarily down or it may have moved permanently to a new web address.”

           

Respondent’s use of the Disputed Domain Name is in bad faith for the following reasons. First, Respondent is using the Disputed Domain Name to resolve to a blank or inactive page, and the failure to actively use a domain name constitutes bad faith. Second, Respondent clearly capitalized on the media coverage of the noted data breach and intentionally chose the Disputed Domain Name to refer to Complainant and opportunistically capitalize on the associated publicity. And third, this tribunal has previously found that Complainant’s Mark is famous, and this supports a finding that Respondent is attempting to trade off of Complainant’s good will in Complainant’s Mark. 

 

B. Respondent

Respondent is not interfering with Complainant’s rights under the Policy.

 

The “date breach” that Complainant suffered was a news worth event and the association between this event the Complainant’s Mark is merely incidental and arises from the facts of the event, not out of a desire or intention to trade on Complainant’s good will in Complaint’s Mark. 

 

The words “data breach” are not part of the Complainant’s Mark and do not cause confusion with Complainant’s products or services because, whatever these products and services are, they do not include data breaches. 

 

Complainant’s conclusions about Respondents’ intentions with respect to bad faith are mere speculation.

 

Respondent did not have a specific intention to monetize the Disputed Domain Name when he registered it.  He saw the media reports of the data breach, and he thought he could provide to the public information about the breach “…and maybe run ads or sometime later or redirect traffic to [his] business website.”

 

Respondent never intended to sell the Disputed Domain Name. If this had been his intention, he would not have used a privacy service to protect his identity. 

 

The blank page to which the Dispute Domain Name initially directed was due to Respondent working on the details of his website, such as layout, as he had time. He had no specific target date for going live.

 

Respondent has now activated his website to which the Disputed Domain Name directs (“Respondent’s Website”), and Respondent provided (as an exhibit) a screen shot of Respondent’s Website. The complete content of Respondent’s Website is as follows:

 

“Capital One Data Breach

This website isn’t affiliated with Capital One

On July 19th, 2019 information from over 100 million people, including social security and bank-account numbers, had been compromised. If you applied for a Capital One credit card from 2005 through early 2019, there’s a good chance you’re affected. Capital One said that “about 140,000 social security numbers” from credit-card customers were taken, as well as “about 80,000 linked bank account numbers” from secured credit-card customers and “approximately 1 million social insurance numbers” from Canadian credit-card customers, business insider reported in this article which includes important information about how to protect yourself: HTTPS://WWW.BUSINESSINSIDER.COM/CAPITALONE-HACK-WAS-DATA-STOLEN2019-7#2-FREEZE-YOUR-CREDIT-3.”

 

C. Complainant’s Additional Submission

Respondent’s admits that he always intended to run ads and redirect traffic to his business website from Respondent’s Website, which conclusively proves that his intention is in bad faith under the Policy. 

 

Further, this admission demonstrates that Respondent does not have legitimate non-commercial rights in the Disputed Domain Name.

 

The content of Respondent’s Website should not be considered by the Panel. This content was created after the Complaint herein was filed, and it is a self-serving attempt to create a false defense. 

 

The three images of Capital One credit cards also found on Respondent’s Website only further exacerbates Respondent’s bad faith. 

 

FINDINGS

Complainant is the owner of USPTO registration 3442400 for the mark CAPITAL ONE, which registration issued on June 3, 2005. 

 

Respondent registered the Disputed Domain Name, <capitalonedatabreach.com>, on July 30, 2019.

 

Respondent’s Website includes information about Complainant’s Data Breach and does not include advertisements or click-through options. 

 

DISCUSSION

Paragraph 15(a) of the Rules instructs this Panel to "decide a complaint on the basis of the statements and documents submitted in accordance with the Policy, these Rules and any rules and principles of law that it deems applicable."

 

Paragraph 4(a) of the Policy requires that Complainant must prove each of the following three elements to obtain an order that a domain name should be cancelled or transferred:

 

(1)  the domain name registered by Respondent is identical or confusingly similar to a trademark or service mark in which Complainant has rights; and

(2)  Respondent has no rights or legitimate interests in respect of the domain name; and

(3)  the domain name has been registered and is being used in bad faith.

 

Identical and/or Confusingly Similar

In order to establish the first element of the Policy, Complainant must demonstrate that it has rights in a trademark and that the Disputed Domain Name is identical or confusingly similar to that trademark.

 

It is generally accepted that rights in a trademark can be demonstrated by showing registration with a national trademark agency, such as the USPTO. See Humor Rainbow, Inc. v. James Lee, FA 1626154 (Forum Aug. 11, 2015)(stating, “There exists an overwhelming consensus amongst UDRP panels that USPTO registrations are sufficient in demonstrating a complainants’ rights under Policy ¶ 4(a)(i) and its vested interests in a mark…Due to Complainant’s attached USPTO registration on the principal register at Exhibit 1, the Panel agrees that it has sufficiently demonstrated its rights per Policy ¶ 4(a)(i).”)

 

In the present case, the Complainant’s Mark is registered with the USPTO, and its rights for purpose of the Policy are thereby established.    

 

Whether the Disputed Domain Name is identical or confusingly similar to the Complainant’s Mark is determined by the Panel by way of a simple comparison of the two. In making the comparison, the gTLD is generally ignored, as are minor variations and, similarly, additional words if they do not create a meaningful distinction. See Microsoft Corporation v. Thong Tran Thanh, FA 1653187 (Forum Jan. 21, 2016) (determining that confusing similarity exists where [a disputed domain name] contains Complainant’s entire mark and differs only by the addition of a generic or descriptive phrase and top-level domain, the differences between the domain name and its contained trademark are insufficient to differentiate one from the other for the purposes of the Policy).

 

In the present case, the Complainant’s Mark is CAPITAL ONE. The Disputed Domain Name is <capitalonedatabreach.com>, which includes the entirety of the Complainant’s Mark with the addition of the words “data breach” and the gTLD “.com.” The Panel finds that these additional words and the gTLD do not create a meaningful distinction.  In fact, as Complainant argues and Respondent confirms, Respondent’s purpose for creating the Disputed Domain Name was to refer to Complainant; in this, Respondent was successful.

 

Respondent argues that there is no confusion because the Disputed Domain Name includes the words “data breach,” and Complainant’s products and services do not include this.  However, this is not the correct focus under Policy ¶4(a)(i). The correct focus is on a comparison of the disputed Domain Name and the Complainant’s Mark. The Complainant’s products and services are not relevant for this element of the Policy. 

 

As such, Complainant has established the first element of the policy. 

 

Rights or Legitimate Interests

This matter turns on this issue, and the Panel finds that Respondent has established normative fair use. 

 

The governing provision of the Policy is ¶ 4(c)(iii), which reads in pertinent part (with preamble): “Any of the following circumstances…if found by the Panel to be proved based on its evaluation of all evidence presented, shall demonstrate your [Respondent’s] rights or legitimate interest to the [disputed] domain name for purposes of Paragraph 4(a)(ii): …(iii) you are making a legitimate noncommercial or fair use of the [disputed] domain name, without intent for commercial gain to misleadingly divert consumers or to tarnish the trademark or service mark at issue.” 

 

Under this language, a commercial use of the Disputed Domain Name would preclude a finding of normative fair use. So, if Respondent included click-through opportunities or advertising on Respondent’s Website, that would likely be fatal to a claim of normative fair use. See Mervis Diamond Corporation d/b/a Mervis Diamond Importers v. Brian Cummings / Cummings Manookian, FA1673789 (Forum) (July 15, 2016) (Denying Respondent’s nominative fair use defense as the disputed domain name redirect Internet users to a landing page that contained the phrases “Diamond Overgrading”,  “Mervis Diamond Importers”, and “You May Be Entitled To Significant Compensation.” At the top of this landing page to the website is an icon, “Start a Claim”, which takes the Internet user to the following: “request your free case evaluation” and “If you think you may have been the victim of diamond over-grading, it’s time to give yourself the peace of mind and get an experienced consumer rights attorneys working to secure your recovery.  Fill out the form below to receive a free and confidential evaluation.” Much of the website refers to generalized information about diamond over-grading, aiming to lead consumers to proceed with lawsuits.) (finding for Complainant);

 

However, as noted above, Respondent has not done this. Respondent’s use is to provide what appears to be correct information about the data breach (the Panel has not independently researched this and Complainant has not argue otherwise) for the benefit, or at least potential benefit, of Internet users who might be interested, and the Panel finds that this is constitutes a normative fair use under Policy ¶4(c)(iii). See Chicago Bd. Options Exch. Inc. v. Private, FA 804703 (Forum Nov. 29, 2006) (finding that the respondent had rights or legitimate interests in the <oexstreet.com> domain name because its use of the complainant’s OEX mark to provide information on the complainant’s Options Exchange and not to compete with the complainant was a nominative use). See also KBR, Inc. v. Jeffrey L. Raizner / Jeffrey Raizner, FA1413439 (Forum Dec. 27, 2011) (“During an independent visit to the <kbrlitigation.com> website conducted on December 20, 2011 the Panel confirmed that the website at the disputed domain name contains news published by media, videos showing partners of Respondent's law firm reporting on current developments of the litigation against Complainant, press articles on recent judicial decisions, blogs and other content related to such litigations. Thus, Respondent’s actions, in the Panel’s view, clearly represent a nominative fair use of Complainant’s mark. Such use is protected both under paragraph 4(c)(iii) of the Policy and under the trademark laws of the United States of America, the country of residence of both Parties.”) (finding for Respondent); See also Capgemini North America, Inc. v. Randel Tomina, FA1658191 (Forum Apr. 11, 2016) (“Respondent’s website qualifies as a bona fide criticism site… The site indicates, in part, that it was ‘created to expose Capgemini, a company that caused me over $100,000 in loses. Perhaps you are a candidate considering a position with Capgemini. I invite you to read my story, which is 100% factual and backed up in emails, and decide from there if you should turn down opportunities and join Capgemini.’ At another point in time the site read, in part, as follows: ‘This page is run by a former Capgemini Employee that had my job rescinded before I could start without cause.  I am a whistleblower here to inform and protect others from experiencing what Capgemini did to me. I have lost thousands of dollars due to Capgemini’s negligence. Capgemini’s goal is to threaten twitter into removing this page.’”) (finding for Respondent). 

 

Complainant argues that normative fair use cannot be found under the circumstances of this matter because Respondent admits he always intended to improperly monetize the Disputed Domain Name by adding click-through options and advertising to Respondent’s Website.

 

The Panel disagrees. Respondent did not say that he would do these things, only that he thought he might, and as noted above, he has not followed through with these thoughts. What Complainant states is a certainty is actually a mere possibility. 

 

A possibility is not sufficient. To hold otherwise would be to preclude ever finding normative fair use because in every situation involving normative fair use a possibility exists that the registrant could later change the situation by inserting improper efforts to monetize.

 

If Respondent does add click-through options or advertising or otherwise attempts to improperly monetize the Disputed Domain Name at some time in the future, Complainant would then be free to raise an objection, and the matter would be resolved by another Panel based on its evaluation of all of the evidence presented.

 

Complainant argues that Respondent created the Respondent’s Website only after the Complaint was filed, and this suggests that the content (as quoted above) is merely a self-serving effort to create a false defense; for this reason, this content should be ignored. The Panel disagrees. Whereas it might be true that Respondent was motivated by the filing of the Complaint, what Respondent created was not objectionable, and further, the timing is not inconsistent with an ordinary process of website development. In this regard, the Panel notes that the Disputed Domain Name was registered only about two months ago. 

 

As such, Complainant has failed to establish the second element of the Policy.

 

Registration and Use in Bad Faith

In situations in which the Panel has found that the Respondent has rights or legitimate interests in the Disputed Domain Name, the question of Respondent’s bad faith registration and use of the Disputed Domain Name is moot. See Record Connect, Inc. v. Chung Kit Lam / La-Fame Corporation, FA 1693876 (Forum Nov. 3, 2016) (finding that the issue of bad faith registration and use was moot once the panel found the respondent had rights or legitimate interests in the disputed domain name); see also Sheet Labels, Inc. v. Harnett, Andy, FA 1701423 (Forum Jan. 4, 2017) (finding that because the respondent had rights and legitimate interests in the disputed domain name, its registration of the name was not in bad faith).

 

DECISION

Having failed to establish all three elements required under the ICANN Policy, the Panel concludes that relief shall be DENIED.

 

Accordingly, it is Ordered that the <capitalonedatabreach.com> domain name shall REMAIN with Respondent.

 

 

Kendall C. Reed, Panelist

Dated: September 2, 2019

 

 

Click Here to return to the main Domain Decisions Page.

Click Here to return to our Home Page