`
`
`
`Bradley P. Hartman (#017263)
`John D. Titus (#012912)
`HARTMAN TITUS PLC
`3507 N. Central Ave., Suite 101
`Phoenix, AZ 85012-2121
`Phone: (602) 235-0500
`Email: bhartman@hartmantitus.com
`
`jtitus@hartmantitus.com
`Attorneys for Plaintiffs
`
`
`
`
`Proofpoint, Inc., a Delaware corporation,
`and Wombat Security Technologies, Inc., a
`Delaware corporation,
`
`
`Plaintiffs,
`
`
`
`
`
`
`
`
`
`
`
`IN THE UNITED STATES DISTRICT COURT
`
`FOR THE DISTRICT OF ARIZONA
`
`
`Civil No.
`
`
`COMPLAINT FOR DECLARATORY
`RELIEF UNDER THE LANHAM ACT
`
`
`
`vs.
`
`Facebook, Inc., a Delaware corporation,
`and Instagram, LLC, a Delaware limited
`liability company,
`
`
`Defendants.
`
`
`
`This is a suit by Proofpoint, Inc., and Wombat Security Technologies, Inc.
`
`(“Plaintiffs”), against Defendants, Facebook, Inc., and Instagram, LLC (“Defendants”), for
`
`declaratory relief under the Lanham Act pursuant to 28 U.S.C. § 2201.
`
`INTRODUCTION
`
`1.
`This is an action for declaratory relief pursuant to 28 U.S.C. § 2201 to establish
`that Plaintiffs’ registration and use of the internet domain names <facbook-login.com>,
`<facbook-login.net>, <instagrarn.ai>, <instagrarn.net>, and <instagrarn.org> (the “Domain
`
`1
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 2:21-cv-00226-DJH Document 1 Filed 02/09/21 Page 2 of 11
`
`
`
`Names”) is not unlawful under the Anticybersquatting Consumer Protection Act, 15 U.S.C.
`§ 1125(d) (the “ACPA”), or otherwise under the Lanham Act, 15 U.S.C. § 1051 et. seq.
`2.
`This action is also filed to prevent the transfer of the Domain Names to
`Defendants, which was ordered in an administrative decision on January 25, 2021, under the
`Uniform Domain Name Dispute Resolution Policy (the “UDRP”) in a non-binding
`proceeding captioned Facebook, Inc. and Instagram, LLC v. WhoisGuard Protected,
`WhoisGuard, Inc. / Phishing Operations, Wombat Security Technologies, World Intellectual
`Property Organization Arbitration and Mediation Center, Case No. D2020-3218.
`PARTIES
`3.
`Plaintiff, Wombat Security Technologies, Inc., is a Delaware corporation.
`Wombat Security Technologies, Inc., is owned and operated by Proofpoint, Inc., a Delaware
`Corporation. Wombat Security Technologies, Inc., and Proofpoint, Inc., are collectively
`referred to as “Proofpoint.” Proofpoint has offices at 925 West Maude Avenue, Sunnyvale,
`CA 94085.
`4.
`On information and belief, Defendant, Facebook, Inc., is a Delaware
`corporation with a principal place of business at 1 Hacker Way, Menlo Park, California
`94025.
`5.
`On information and belief, Defendant, Instagram, LLC, is a Delaware limited
`liability company with a principal place of business at 1601 Willow Road, Menlo Park,
`California 94025.
`
`JURISDICTION AND VENUE
`6.
`This Court has subject matter jurisdiction over this action pursuant to Section
`39 of the Trademark Act of 1946 (the “Lanham Act”), 15 U.S.C. § 1121, and under 28
`U.S.C. §§ 1331 and 1338(a). More specifically, this Court has jurisdiction pursuant to 28
`U.S.C. § 1331 because this cause arises under 15 U.S.C. § 1114 in that Plaintiffs are the
`registrant of Domain Names that are subject to transfer under a policy provided by the
`registrar thereof relating to alleged conflict with a trade or service mark claimed by
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`2
`
`
`
`Case 2:21-cv-00226-DJH Document 1 Filed 02/09/21 Page 3 of 11
`
`
`
`Defendants, and under 28 U.S.C. § 2201(a) “In a case of actual controversy within its
`jurisdiction, . . . any court of the United States, upon the filing of an appropriate pleading,
`may declare the rights and other legal relations of any interested party seeking such
`declaration, whether or not further relief is or could be sought.”
`7.
`This Court has personal jurisdiction over Defendants because Defendants
`agreed to submit to the jurisdiction of this Court when they initiated an administrative
`proceeding pursuant to the UDRP concerning the Domain Names. Specifically, Defendants
`agreed in their UDRP complaint to “submit, with respect to any challenge that may be made
`by the Respondent to a decision by the Administrative Panel to transfer or cancel the Domain
`Names that are the subject of this Complaint, to the jurisdiction of the principal office of the
`concerned Registrar.”
`8.
`The registrar for the Domain Names is NameCheap, Inc., a Delaware
`corporation with principal offices at 4600 East Washington Street, Suite 305, Phoenix,
`Arizona 85034.
`9.
`Venue is proper in this district pursuant to 28 U.S.C. § 1391(b), as a substantial
`part of the events giving rise to the claims occurred in this district. Furthermore, the registrar
`of the Domain Names is located in this district.
`FACTS
`
`10.
`Proofpoint is a leading, publicly traded enterprise security company with a
`market capitalization of approximately $7 billion. Proofpoint provides software as a service
`and other products for inbound email security, outbound data loss prevention, social media,
`mobile devices, digital risk, email encryption, electronic discovery (“eDiscovery”), and
`email archiving.
`11.
`Proofpoint’s solutions protect organizations’ greatest assets and biggest risks:
`their people. Its cybersecurity solutions include the following:
`a)
`preventing email and cloud-based threats, including malware, credential
`phishing and email fraud;
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`3
`
`
`
`Case 2:21-cv-00226-DJH Document 1 Filed 02/09/21 Page 4 of 11
`
`
`
`b)
`
`c)
`
`d)
`
`e)
`
`f)
`
`reducing successful phishing attacks and malware by helping people
`spot and report unsafe email and by safeguarding their personal digital
`activity;
`
`securing digital channels and blocking impostor attacks and malicious
`content that use trusted and lookalike email and web domains, social
`media, the dark web, and more;
`
`protecting sensitive data and assisting with compliance with ever-
`evolving regulations;
`
`collecting, archiving, supervising and monitoring sensitive data in a
`compliant and legally defensible manner; and
`
`providing security awareness training, including phishing simulation
`training campaigns, to customers to help train them on how to spot and
`properly respond to phishing attacks.
`
`12.
`Proofpoint has been widely recognized by third parties for its effective
`cybersecurity solutions that have protected many companies from online deception. For
`example, Forbes recently published an article based on an interview with Proofpoint’s CFO,
`Paul Auvil. See Exhibit A,
`https://www.forbes.com/sites/jeffthomson/2020/12/04/cybersecurity-in-an-age-of-financial-
`threats-a-qa-with-proofpoints-cfo/?sh=76dc8d5b19ed. The online magazine Information
`Age also recently published an article around Proofpoint’s Senior Sales Director Rob Bolton
`discussing cybersecurity threats in the work-from home-reality. See Exhibit B,
`https://www.information-age.com/proofpoint-gm-discusses-insider-threats-work-from-
`anywhere-reality-123492767/. A sampling of Proofpoint’s many awards and recognitions –
`which are too numerous to detail here – may be found in Exhibit C,
`https://www.proofpoint.com/us/news?type=All#in-the-news.
`13. One of the ways Proofpoint provides its cybersecurity solution services is by
`conducting training to help its clients’ workforce recognize cybersecurity threats, including
`phishing attacks.
`14.
`To make the training exercise more realistic, Proofpoint uses intentionally
`domain names that look like typo-squatted versions of recognizable domain names, such as
`4
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 2:21-cv-00226-DJH Document 1 Filed 02/09/21 Page 5 of 11
`
`
`
`<facbook-login.com>, <instagarn.org> and the other Domain Names at issue in these
`proceedings.
`15. By using domain names similar to those of well-known companies, Proofpoint
`is able to execute a more effective training program because the workforce is more likely to
`learn to distinguish typo-squatted domains, which are commonly abused by bad actors to
`trick workers, from legitimate domain names. This protects both the employer that provides
`this training to its workforce as well as the owners of legitimate domain names, including
`social-media companies like Defendants.
`16. As part of its cybersecurity solution services, Proofpoint sends an imitation
`phishing e-mail containing the Domain Names to people undergoing training. The
`individuals undergoing training either (a) ignore the fake phishing email; (b) report the
`email; or (c) click the simulated phishing link in the email, leading them to one of the
`Domain Names, in which event they receive a teachable moment notice informing them that
`they responded to a phishing attempt as part of a training exercise. This process helps to
`reinforce the desired behavior of the recipient, which is to ignore or report the phishing email
`attack, or to be taught the proper behavior in case the recipient did in fact click on the
`simulated phishing link. A representative example of such a teachable moment notice is
`shown below:
`. . . .
`. . . .
`. . . .
`. . . .
`. . . .
`. . . .
`. . . .
`. . . .
`. . . .
`. . . .
`
`5
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`Case 2:21-cv-00226-DJH Document 1 Filed 02/09/21 Page 6 of 11
`
`
`
`
`
`See Exhibit D.
`
`17.
`Individuals who receive the imitation e-mail and click on the simulated
`phishing link are directed to a teachable moment notice, such as the one shown above. By
`doing so, Proofpoint is helping those individuals who were baited into clicking on the
`simulated phishing link to safely learn from their mistakes and further train them to identify
`similar malware, phishing, and Internet bad actors so that they can avoid actual cybersecurity
`breaches in the future.
`18. As shown in the image above, this representative teachable moment notice
`includes a disclaimer that states in part: “This phishing simulation was provided by your
`employer to help teach you to recognize commonly-used phishing risks. To appear as
`
`
`
`6
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 2:21-cv-00226-DJH Document 1 Filed 02/09/21 Page 7 of 11
`
`
`
`realistic as possible, it may contain the name, brand or logo of unaffiliated third parties.”
`Exhibit D (emphasis added).
`19.
`Each teachable moment notice that is displayed when an individual clicks on
`an simulated phishing link in Plaintiffs’ cybersecurity imitation emails includes a disclaimer
`similar to the one shown in Exhibit D.
`20.
` When consumers visit the Domain Names outside of Plaintiffs’ cybersecurity
`imitation phishing emails, i.e., when consumers type in one of the Domain Names into an
`internet address bar, that consumer is shown the following message:
`
`
`
`See Exhibit E.
`
`21.
`The message on the websites displayed at the Domain Names immediately
`informs visitors that the domain belongs to Proofpoint and is being used for training services
`offered by Proofpoint.
`22.
`Proofpoint’s registration and use of the Domain Names has been in good faith
`and for a legitimate purpose.
`23.
`Proofpoint’s registration and use of the Domain Names also is a fair use of the
`relevant trademarks of Defendants.
`
`
`
`7
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 2:21-cv-00226-DJH Document 1 Filed 02/09/21 Page 8 of 11
`
`
`
`UDRP Proceeding
`24. On or about November 30, 2020, Defendants filed a UDRP action against
`Plaintiffs alleging the Domain Names are confusingly similar to Defendants’ trademarks
`FACEBOOK and INSTAGRAM.
`25.
`In the UDRP proceeding, Defendants alleged Proofpoint is not making use of
`the Domain Names in connection with a bona fide offering of goods or services.
`26.
`In fact, Plaintiffs do have legitimate interests in using the Domain Names in
`connection with the bona fide offering of services to the public.
`27.
`Plaintiffs have made legitimate fair use of the Domain Names, and such use
`does not suggest an association between Plaintiffs and Defendants or create a reasonable
`likelihood of consumer confusion regarding the source of Plaintiffs’ services or the source of
`Defendants’ services.
`28. Consumer confusion is unlikely because Proofpoint clearly states on the
`websites to which the Domain Names are pointed: “Hi! This web site belongs to Proofpoint
`Security Awareness Training. This domain is used to teach employees how to recognize and
`avoid phishing attacks.” See Exhibit E.
`29.
`Thus, consumers who reach the Domain Names by typing the Domain Names
`into an internet address bar know that the domain belongs to Proofpoint and that any services
`related to the domains originate from Proofpoint and not from Defendants.
`30. Customer confusion also is unlikely among those individuals participating in
`Plaintiffs’ cybersecurity training programs because the teachable moment notice displayed
`when individuals click the link for one of the Domain Names includes a disclaimer similar to
`the following: “This phishing simulation was provided by your employer to help teach you to
`recognize commonly-used phishing risks. To appear as realistic as possible, it may contain
`the name, brand or logo of unaffiliated third parties.” See Exhibit D.
`31.
`In the UDRP proceeding, Defendants alleged Proofpoint registered and used
`the Domain Names in bad faith.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`8
`
`
`
`Case 2:21-cv-00226-DJH Document 1 Filed 02/09/21 Page 9 of 11
`
`
`
`32.
`In fact, Plaintiffs registered and used the Domain Names in good faith as part
`of their business of providing effective training programs that enable employees to learn to
`distinguish typo-squatted domains from legitimate domain names.
`33. Registration of the Domain Names by Plaintiffs was lawful.
`34. Notwithstanding Plaintiffs’ lawful registration and use of the Domain Names,
`on January 25, 2021, an arbitrator appointed by the World Intellectual Property Organization
`Arbitration and Mediation Center issued a decision ordering transfer of the Domain Names
`to Defendants.
`35. On January 27, 2021, the World Intellectual Property Organization Arbitration
`and Mediation Center notified Namecheap of the UDRP decision ordering transfer of the
`Domain Names to Defendants.
`36. Under the UDRP, Namecheap will transfer the Domain Names to Defendants
`within ten business days of receiving notification of the UDRP decision unless legal action
`for independent determination of the Plaintiffs’ rights is commenced by Plaintiffs in this
`judicial district.
`
`COUNT I
`Declaratory Relief – Non-Violation of the Lanham Act under 28 U.S.C. § 2201
`37.
`Plaintiffs re-allege paragraphs 1 through 36 as if fully set forth herein.
`38.
`Plaintiffs’ registration and/or use of the Domain Names does not violate
`Defendants’ rights under the Lanham Act.
`39.
`In registering the Domain Names, Plaintiffs did not have “bad faith intent,” as
`provided in 15 U.S.C. § 1125(d)(1)(A)(i), to profit from Defendants’ alleged trademark
`rights.
`40. At the time Plaintiffs registered the Domain Names and at all times subsequent
`thereto, Plaintiffs have used, and have intended to use, the Domain Names for legitimate or
`fair-use purposes.
`
`
`
`9
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 2:21-cv-00226-DJH Document 1 Filed 02/09/21 Page 10 of 11
`
`
`41.
`Plaintiffs had reasonable grounds to believe that their registration and/or use of
`the Domain Names was a fair use or otherwise lawful use, as provided in 15 U.S.C.
`§ 1125(d)(1)(B)(ii).
`42.
`Plaintiffs reasonably believe their registration and use of the Domain Names
`was and is lawful under the Lanham Act.
`43.
`There is an actual controversy with respect to whether the Defendants are
`entitled to obtain transfer of the Domain Names away from Plaintiffs based on Defendants’
`alleged rights under the Lanham Act.
`44.
`In the absence of a declaration from the Court, Namecheap will transfer the
`Domain Names to the control of Defendants, and Plaintiffs will suffer immediate and
`irreparable harm.
`45.
`Such real and actual controversy is of sufficient immediacy and reality to
`warrant declaratory relief.
`46.
`Plaintiffs’ registration and use of the Domain Names does not, and is not likely
`to, cause confusion, or to cause mistake, or to deceive as to the affiliation, connection or
`association of Plaintiffs with Defendants, or as to the origin, sponsorship, or approval of
`Plaintiffs’ services or commercial activities by Defendants.
`47.
`Plaintiffs’ registration and use of the Domain Names do not misrepresent the
`nature, characteristics, qualities, or geographic origin of Plaintiffs’ services or Defendants’
`goods, services, or commercial activities.
`48.
`Plaintiffs seek a judicial declaration pursuant to 28 U.S.C. § 2201 that
`(a) Plaintiffs’ registration of the Domain Names was not in bad faith, (b) Plaintiffs’ use of
`the Domain Names will not cause confusion or mistake or deceive the public, and (c) by
`registering and using the Domain Names, Plaintiffs have not infringed, and do not infringe,
`any valid trademark rights of Defendants.
`
`
`
`10
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 2:21-cv-00226-DJH Document 1 Filed 02/09/21 Page 11 of 11
`
`DEMAND FOR TRIAL BY JURY
`
`
`
`49.
`Pursuant to Rule 38(b) of the Federal Rules of Civil Procedure, Plaintiffs
`hereby demand a trial by jury on any issue so triable.
`PRAYER FOR RELIEF
`WHEREFORE, Plaintiffs request judgment against the Defendants as follows:
`A.
`A declaration by the Court, pursuant to 28 U.S.C. § 2201, that Plaintiffs’
`registration, ownership and use of the Domain Names <facbook-login.com>,
`<facbook-login.net>, <instagrarn.ai>, <instagrarn.net>, and <instagrarn.org>
`are lawful and proper and do not infringe any right the Defendants may claim;
`A declaration by the Court, pursuant to 15 U.S.C. § 1114(D)(2)(v), that the
`registration of the Domain Names is not unlawful under the ACPA or
`otherwise under the Lanham Act, and the Domain Names are to be unlocked
`and reactivated with full ownership and use restored to Plaintiffs; and
`Awarding such other and further relief as the Court deems just and proper.
`
`B.
`
`C.
`
`
`
`
`
`
`
`
`DATED this 9th day of February, 2021.
`
`
`
`
`
`
`
`HARTMAN TITUS PLC
`By: /s/ Bradley P. Hartman
`
`Bradley P. Hartman
`John D. Titus
`3507 N. Central Ave., Suite 101
`Phoenix, Arizona 85012-2121
`
`
`PATTISHALL McAULIFFE NEWBURY
`HILLIARD & GERALDSON, LLP
`200 South Wacker Drive, Suite 2900
`Chicago, Illinois 60606
`Attorneys for Plaintiffs
`
`11
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`