The EU GDPR: One Year On

How the GDPR is Changing the Internet, Cyber Security, Brand Protection and the Responsibilities of Legal Departments Globally

On May 25, 2018, the General Data Protection Regulation (GDPR) became enforceable. While the primary purpose of the GDPR is to protect personal data of EU residents, its real impact has been far broader in geography and scope.

Join CSC®’s director of policy and industry affairs, Gretchen Olive, in this recorded webinar to explore how the GDPR has changed much more than the rules around data privacy.

In The EU GDPR: One Year On, Gretchen will address:

  • GDPR’s effect on the contents and availability of WHOIS information for domain names and upcoming ICANN policy changes;
  • GDPR’s impact on brand protection tactics;
  • The intersection of data privacy and cybersecurity;
  • The new and evolving cybersecurity role of in-house legal departments;

The best practices and controls every legal department should ensure their organization has in place to mitigate data privacy fines from regulators and cyberattacks from outside the firewall.

Slideshare

The EU GDPR: One Year On - How the GDPR is Changing the Internet, Cyber Security, Brand Protection and the Responsibilities of Legal Departments Globally from CSC

Webinar Transcript:

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo. To set up a live demo or to request more information, please complete the form to the right. Or if you are currently not on CSC Global, there is a link to the website in the description of this video. Thank you.

James: Hello, everyone, and welcome to today's webinar, "The EU GDPR: One Year On: How the GDPR is Changing the Internet, Cyber Security, Brand Protection, and the Responsibilities of Legal Departments Globally." My name is James Weir, and I will be your moderator.

Joining us today is Gretchen Olive. Gretchen is the Director of Policy and Global Domain Name Services for CSC. For nearly two decades, Gretchen has helped Global 2000 companies devise global domain name, trademark, and online brand protection strategies and is a leading authority on the ICANN New gTLD Program. And with that, let's welcome Gretchen.

Gretchen: Thanks, James. Really glad to be here today, and thanks everyone for making time to join us.

So as usual, we have a packed agenda today. We'll obviously be focusing on the GDPR, but also diving into what the impact of the GDPR has been on the WHOIS, ICANN policy, brand protection tactics, as well as data privacy and cyber security. Then we're kind of going to transition into what this really all means for in-house counsel and hopefully give you some good tips and best practices on how to get your arms around both data privacy and cyber security.

So to ensure that we're all on kind of the same playing field, let's just start off with just a few basics about what is the GDPR. The GDPR is the General Data Protection Regulation, and that was a regulation that was replacing a directive, an EU directive from 1995. It became enforceable in May of last year, 2018. It actually had been enacted two years prior, so there was a two-year ramp-up period. And really what the GDPR is designed to do is to harmonize the data privacy laws across Europe and really to protect EU citizens and provide them with enhanced data privacy.

It does affect all companies worldwide, though. A lot of people don't understand its kind of extraterritorial nature. Just because your business is not, you know, situated in the EU doesn't mean that the GDPR doesn't apply to you. If you do business with EU citizens, the GDPR is going to impact your company and is going to apply to you.

So non-compliance is not something you want to see happen. It's expensive. Really, if you are found to be non-compliant, there are heavy fines, the higher of up to 4% of total global annual revenue or up to €20 million. So that is not small amounts of money there.

In addition, authorities can issue other punitive sanctions, and data subjects might be, actually, under this seeking compensation, so I think there's a potential here for an increased number of the class actions.

So now that we know a little bit about the GDPR, let's turn to how the GDPR has impacted sort of ICANN policy, particularly around WHOIS. So first of all, ICANN is the Internet Corporation for Names and Numbers, and they're the group that's responsible for sort of governing the Domain Name System or the DNS.

And, you know, when the GDPR came out, you know, we talked about it was really enacted in 2016, there really wasn't much attention being paid to it right away. But as 2017 rolled around, there was this awareness that the GDPR would also impact the domain name WHOIS.

For years, the WHOIS has been a huge issue within the ICANN community, and it's really been about, you know, what information should be in there, what about, you know, how do we manage accuracy, because the WHOIS has been notorious to not have the most accurate information. And so that has really hindered law enforcement, IP holders, in enforcing and kind of going after bad guys.

And so, you know, for years, like I mentioned, this WHOIS has been a big issue, but quite honestly, for years, there was also this understanding that it probably was in contravention to many local data privacy laws. But because the internet is so, you know, borderless, it was almost like the ICANN community kind of ignored that and sort of said, "We're different. We kind of live up here, you know, outside of the borders."

And the ICANN requires by contract for registries and registrars to publish WHOIS information, and in that WHOIS information is what they call contact data. So you have like registrant contact data, administrative contact data, technical, you know, kind of people, their contact data. So there was tons of personal information that you could ordinarily find within a WHOIS, and again, it was very useful to folks like, you know, law enforcement and IP rights holders.

Well, with the GDPR, that clearly is not something that should be the case. So, you know, the GDPR in 2017, the realization sunk in that the GDPR was definitely in direct conflict with ICANN WHOIS Policy, and there needed to be some kind of solution. Despite a lot of discussion and a lot of debate, and sometimes very heated, as we were rolling closer and closer to the date when GDPR would become enforceable, in May of 2018, the community couldn't come to a consensus.

And so what happened is ICANN in, quite honestly, you know, very quick action, issued something called a Temporary Specification regarding WHOIS, where they effectively provided waivers to registries and registrars in providing WHOIS data in light of GDPR so that those entities would not be found, you know, in non-compliance and potentially subject to fees. And also, in the spirit of the GDPR, not wanting to violate the privacy rights of EU citizens.

So we wound up with this Temporary Specification, which really, in many ways, caused massive redaction to WHOIS records out there. And at the same time, ICANN initiated something called an Expedited Policy Development Process or EPDP. And really what that was about is it was actually a special process that was going to be used for the very first time in the ICANN world, where a team was formed to work for a year to solve the problem.

And this, again, is something that has never happened in the ICANN community. We've been debating WHOIS for 20 years, and many thought that this was doomed to fail. But nonetheless, ICANN set out to do this in the hope that the additional year would result in a long-term WHOIS policy that would really deal with the collection, storage, display, transfer, and access to WHOIS data.

So if we dive a little bit deeper into the EPDP, or that Expedited Policy Development Process, what the Temporary Specification that ICANN issued in May of 2018 really did, like I mentioned, significantly redacted WHOIS contact information. So really you were losing access to the name, the email address, the postal address, the phone number of the registrant, the admin contact, the point contact, the technical contact.

Registrants could decide to kind of opt out of that redaction, but for the most part, most registrants kind of use the redaction. And as a result, this has really had a very significant impact on brand protection efforts, because a lot of times when people are trying to go after infringers, one of the best pieces of information is the WHOIS record. So that has really caused a great deal of additional cost, time, and effort.

Now, one of the features of the Temporary Specification is that it's only effective for one year. So that means that the EPDP team really needed to, you know, quickly get to work and quickly identify the issues that needed to be resolved, and really when they did kind of scope the problem and the issue, they really quickly recognized that this needed to be broken into two pieces.

And so it's Phase 1 that really has that one-year time limit, and that Phase 1 part is about the collection and handling of WHOIS contact data and requests for that WHOIS contact data. So this is what had to be completed by May of this year.

Now, Phase 2 is about access to the WHOIS. So this is where, you know, who should have access, how much access should they have, what data should be available. This Phase 2 part is an after the first year thing. So this part has not yet been fleshed out.

So in terms of where we stand with the EPDP, the team has actually issued its final report on Phase 1. That actually happened a little bit ahead of time, and that was actually quite surprising. They got off to a really rough start, but nonetheless, they were able to, early in 2019, put together their final report, and the GNSO Council, which is a stakeholder organization within the ICANN community, they were able to kind of approve that report for consideration by the Board.

Now, before the Board, ICANN Board considers it, it does go out for public comment, and, in fact, that public comment period has just wrapped up. We've provided a link on the slide where you can go out to the public comment forum and you can see the comments that are made. The ICANN staff will also summarize the comments, and they'll issue that summary in just a couple of weeks.

But really, the ICANN Board is now expected to adopt the 29 recommendations in the report, barring any major objections or issues that come up through the public comment period that just lapsed. So that Phase 1 piece is really, you know, winding down, and now we're heading into Phase 2. Phase 2 can't officially start until the ICANN Board approves Phase 1, but they are starting to do some kind of preliminary work to get ready and to kind of tackle that. So that's underway.

So assuming that the Phase 1 recommendations are accepted by the ICANN Board, barring, like I said, any kind of big issues that come up through the public comment, you're really looking at a very slim WHOIS that's going to exist post-temporary specification. So you can see this chart on the slide. I know it's a little hard to read, and I apologize for that, but I wanted to get all this information in one slide for you. But hopefully when you download it, it'll be a little bit better.

But I've tried to color code it here for you, and what you see is there's only a couple of green fields, and what those green fields are, are fields where that information will be available once we get, you know, this new WHOIS, this permanent WHOIS kind of policy and solution in place.

The yellow fields are ones where there's an option to publish, and that option is largely in the hands of the registrar based on agreement that they have with the registrant. And then the red fields are the fields that will be in no way published. So you can really see that this is significantly slimmed down.

Many of you are probably wondering, "Well, when will this happen exactly?" The way the recommendations are written right now in the Phase 1 report, this new WHOIS will be this new kind of, you know, fields and what's available will be effective really end of February next year. So while I know over the last year, we've really felt like the WHOIS has slowly evaporated, I think we're just kind of continuing down that path, in light of what the GDPR has kind of created.

So let's talk a little bit about, if we were to look into our crystal ball, what the future of WHOIS access will be. So we've talked about the type of information that's going to be available in sort of the public WHOIS. But what about this potential kind of access to further information?

Really, what this whole process is sort of setting us up for is a gated, tiered access system, so meaning that there may be additional information that certain parties can have access to within the WHOIS, and it will have to do with what their interests are and whether those interests are legitimate.

But the bottom line being that, you know, the public WHOIS output will be very slim, but there will be this access model that will be fleshed out as part of the Phase 2 part of this process, where it will be determined (a) what will be kind of the system that will be put in place to allow this gated, tiered access, (b) who will be allowed this gated, tiered access, if there's any kind of maybe accreditation process or self-certification process that's going to have to happen to be able to get access, as well as what information and under what circumstances can that information be available.

So this chart is one that came from one of the ICANN presentations at a recent ICANN meeting that kind of tried to sketch out, if you will, kind of what this all looks like, but there's a lot of work to still do here, and again, Phase 2 doesn't have a time limit on it like Phase 1 did. So it's a little unclear as to when we will know exactly what this gated, tiered access model will look like.

So now that we've kind of gone through what the GDPR's impact on ICANN and WHOIS policy has been, we're going to kind of shift our focus a little bit now to the impact that that kind of change in WHOIS policy has had on online brand protection tactics. The WHOIS, as I mentioned earlier, has always been I'll call it primary source for information as to who's behind a domain name. Certainly there have been challenges when a domain name is under like privacy or proxy or something like that, but, by and large, the WHOIS has been a really good source of information to help with brand protection enforcement online.

But now with that, you know, diminishing by the day it seems, it's really important to kind of think about, well, what has kind of been the outgrowth, if you will, what tactics have now been adopted without the WHOIS really being the source it once was.

So I think it's really clear that brand protection professionals really need to look beyond the WHOIS. A lot of times there is other data in the WHOIS beyond the contact information. There's information about servers. There's information about registrars. But it really starts to become an exercise where you're trying to piece information together from the kind of domain detail part of the WHOIS and then perhaps other data sources that may be out there.

So it is really causing brand protection professionals to kind of cast a wider net across data sources and try to link those pieces together. It can be challenging, but certainly it is possible to identify an infringer sometimes through kind of linking those pieces of information together.

There's also, you know, we're also seeing where people who are conducting brand protection enforcement are filing their UDRPs, their URSs, even where they have to file court cases, they're filing them sooner than they once did and actually even more often than they once did. And that's really because they're using those processes, whether it be an administrative dispute process or a court process, to really get to the registrant information, having the court or the dispute provider ultimately unmask who the registrant is behind the domain name.

So, you know, a natural kind of consequence of that unfortunately is it's also increasing the cost of brand protection, because before you had a lot more kind of administrative, a lot more kind of, before you hit those administrative processes or the court process, that you could do to get to that information, and a lot of it was free. Now obviously having to pay, you know, the dispute fees or the court fees, that changes things.

There's also been an increased practice of using the abuse contact that is listed for every domain name in the WHOIS to try to get at or try to get information to the real registrant behind the name.

Also, the web forms that appear in different registrar WHOIS, that's another method where enforcement professionals are trying to basically send cease and desist letters using that web form, kind of, you know, cutting and pasting their cease and desist into that web form. They are unable to address it to a specific person's name, but they'll say, like, the registrant of domain abc.com. So it's really been kind of a new way that people are trying to transmit kind of demands or requests to discuss the matter or even cease and desist letters. We're starting to definitely see that increase.

Web hosts are also seeing increase in requests to them about taking down infringing content or fraudulent content. You can find out the web host of a name through looking up the IP address. So there are still many free lookups for IP addresses, and people are kind of going at it that way.

Some of the challenges are some are more cooperative than others, some require sort of for you to come with some kind of either administrative order or court order to get to that information, but you can kind of run up the food chain of web hosts to potentially get to somebody who might have a sympathetic ear there. They're kind of all chained together through kind of regional kind of hosting mechanisms.

All right. Well, while most think of the GDPR as really a data privacy regulation, and it is certainly that, it also has very significant cyber security kind of implications, and so it really brings us to a point where we see this kind of intensification of the intersection between data privacy and cyber security.

So under the GDPR, companies have to basically follow established cyber security practices, implementing "state of the art approaches" and "appropriate technical and organizational measures to ensure a level of security appropriate to the risk."

So you can see there's some I would call vague standards being articulated there, but it's pretty clear that you can't just kind of bury your head in the sand. You need to make sure that what you're doing, the program that you're creating around data privacy is kind of state of the art, up to date, it's really appropriate for the risk.

In addition, there's language in the GDPR around notification when there is a breach. And so there's notification to regulatory authorities, and in some cases, there's notification to impacted individuals, and that all has to happen within 72 hours. And that is an amazingly short period of time. You know, many of the studies have shown that companies sometimes don't know that there's been a breach for days, weeks, sometimes months, and there's been some cases in the news where they found over a year after the breach happened or that the breach was ongoing and they didn't even know it. So 72 hours is a very short period of time to, one, understand there's been some kind of issue and, two, get out notification.

These types of requirements are not unique to the GDPR also, and I think that's really important to understand is that while we're really focusing on the GDPR here today, because that really has been kind of the seminal regulation, the thing that's really prompted all these actions by ICANN and for all these changes, there are a number of national, state, industry-specific data and cyber security laws and regulations that have emerged over the last 18 months and will continue to emerge over the coming years, especially in those heavily regulated industries, things like pharma, tech.

You know, you're really seeing a lot of financial institutions particularly, you're seeing a lot of these types of laws with these types of requirements in it. So when you put your GDPR hat on, you can't just think data privacy, data privacy, data privacy. You have to also think cyber security.

So let's talk about what in-house counsel are concerned about. As I talk to customers, attend conferences, etc., we get into these conversations about, well, what's everybody talking about? What is everybody thinking? So I kind of want to share with you my take on, after talking to a lot of different people across the globe, what I see as the concerns out there and the things that people have been worrying about as it relates to GDPR and obviously the cyber security consequences also that come with that.

So last year, it was very much, you know, everybody was in the preparation mode for GDPR. So it was a lot about getting an inventory of the data, where is it stored, how is it processed. You know, really looking at what are the proper mechanisms in place to get consent? What is IT doing to kind of like fortify the castle? Those were all the things that people were really, really focused on last year.

I think, you know, the GDPR has a lot in it, and it was very overwhelming, I think, as people were really trying to figure out how, by May 25th, to be in compliance. And I think most people realized that this was going to kind of be an ongoing, finally realized it's going to be an ongoing effort. This is not like a one swing of the bat and we're going to be done, and then we get to walk on to the next project. So last year was really about laying that foundation in terms of the data and how the IT systems were securing that.

This year what I'm hearing much more is sort of, okay, we've got sort of a good inventory. We've got a basic plan. IT's invested a lot of money. But now we've got to have an ongoing program, and now that we know everything that we have, counsel are thinking, "I don't know that we've got all the right controls and policies around those things, so I think we need to start now drilling down deeper in."

So that's really what's happening this year, and people are asking what policies and procedures, those controls that they should have around systems, applications that are holding the personal data. What's the security posture of partners, third-party vendors? Are we confident that they're in as good a shape as we feel like we're in now? Have we done the proper due diligence? Was last year just like a quick exercise, and maybe we need to go back, or did we not even reach out to our partners and vendors? So that's a big concern.

There's also a lot of discussion around like proper escalation procedures. So, okay, when something goes wrong, what happens? What's the plan? Do we need to run drills? How do we deal with this? Are we sure that we know kind of the path for every possible scenario?

And then how do we manage this on an ongoing basis? Like how do we build the governance program that is going to deal with this on an ongoing basis?

These are the things that people are really drilling into this year, and I think, in some respects last year, everybody was really panicked and was kind of really trying to move really quickly. This year it's sort of like reality has set in, but the task doesn't seem any smaller. It actually seems like to some it's getting bigger.

I would also say that, this year, many are realizing one of the forgotten vulnerabilities is the Domain Name System. There have been an escalating number of attacks, both from cyber criminals as well as state-sponsored. And the attacks are increasing not only in number, but also severity.

And recent news, I mean, really since the top of the year, there's been a steady diet of warnings, if you will, from ICANN and the Department of Homeland Security here in the U.S., the National Cyber Security Centre in the United Kingdom. There's also, I believe it's the Cybersecurity Agency in France. And you can kind of just roll through just about every cyber security agency out there, as well as different private security organizations, like Cisco Talos, FireEye, and Akamai. They're all highlighting this risk of the DNS and DNS hijacking really being what's a huge concern.

And really what all these different groups are urging is for governments and the global business community to take specific actions to protect themselves from increased, widespread DNS hijacking attacks, because when these attacks happen, you have data exposure, so you run afoul of all the things that the GDPR is trying to tell you that you need to protect against. Also then, you're dealing with different cyber security risks and those statutes that go with cyber security and the fines and penalties and liability that goes with those.

So this year, as I mentioned, there's a lot of kind of like drilling down into the detail, and one of the things that people are really realizing has been a blind spot, been a forgotten vulnerability is the Domain Name System. And if you take a second to just think, you'd say, "Oh, you know, our domain names, what's the big deal?" Well, it's more than just your domain names.

You have to understand, your domain names kind of power many things within your business beyond just websites. It's your email. It's your servers. It's your authentication, your VPN, your voice over IP phones, if you have IoT devices. You could just think cloud authentication. There's just a number of things, a number of applications and systems that all kind of rely on the Domain Name System, and when the DNS is hijacked, that causes major, major problems.

So I thought it might be helpful to kind of share with you a couple articles that highlight some of the most recent incidents. And I think it's really important to understand that these kind of DNS hijacking incidents, where the DNS system is under attack, they are pervasive and persistent. So this is not just like a once and done thing. This is something that's happening on an ongoing basis. Copycats are learning from prior attacks and then kind of putting their own spin on it.

But just if you're a person who maybe reads some of the local trade magazines or the different industry blogs related to security, these would be two articles that you would see that have recently been published, one in something called Dark Reading and another one in Wired, at wired.com. And both of them are really expounding upon kind of the things that the DHS and ICANN and those other security agencies were kind of warning against, and that's the DNS hijacking.

They talk about how nation states are being hacked. I think when we think about hacking, we often think of smaller enterprises, maybe people who don't have a lot of security. But the fact of the matter is, is this DNS hijacking is getting in very deep to many large organizations, including governments and intelligence agencies, things like that.

And I know, when I lay in bed at night, it's pretty scary to think that that can happen, but it's really based upon the fact of the way the DNS system works. And what you need to understand is, in order to get a domain name, you need to go to a domain name registrar to get one of those, and only a registrar can go to the registry to purchase the domain name on your behalf.

And so when you kind of think about it, a lot of times I'll use the analogy that the domain industry is a lot like the automobile industry. You typically don't go directly to the manufacturer of the automobile to buy a car. You will go to a dealership. You will go to a local place where they're selling cars, and you'll buy the car there.

The domain industry is a lot the same, in that you have to go to kind of a local dealer, the registrar, to buy your domain, and they are kind of the ones who do all the interaction with the registry. Now, that means your IT department can't directly go and buy domain names. They must work with a registrar to get domain names.

And so there's where one of the biggest vulnerabilities are at, is that those systems, those registrar systems, they sit outside your firewall. They are not something that sit within your firewall. So while your IT group has probably done a fantastic job of really building the biggest, baddest firewall out there to protect your company, the bottom line is this stuff is outside of the firewall.

And so when this hijacking happens where either registrars are compromised or registries are compromised, this is all happening outside your kind of circle of safety. And unfortunately, though, it affects your world, because those domain names power all these things that your company uses and needs.

And so that's the real problem, and that's why it's really, really important to make sure you're working with partners, third parties that are really strong, that really are completely focused on security, because your security on those types of assets, those domain names are only going to be as good as the security the registrar provides.

So over the last couple of months I have had some of my colleagues out there in legal spaces say to me, "Gretchen, I am not a technical person. I do not understand the ins and outs of the DNS. But as in-house counsel, I have a responsibility to make sure my organization is not dropping the ball here. Can you help me figure out the questions to ask?" I mean, that's really what it's kind of come down to.

So over the last couple of months, as I've been helping some of our clients with that, I've kind of put together, if you will, a little bit of a due diligence sort of question set. I think it's a really good place to start to kind of get down to the things that you need to know to be able to protect against this DNS risk.

So let's go through some of these. I think they'll make sense as we go through it, and you'll think to yourself, "Gee, I don't know the answer to this question." So really, I'm hoping that the goal is that, after you have some of these questions, and I'm not saying it's a definitive list, but it's a really good starter set, hopefully you'll go back into your organizations and start asking these questions.

So let's start with questions around the registrar partners that you use for your domain name. So hopefully many of you who are on this webinar use CSC. But for those of you who may not or may not have all your domain names with CSC, I think there are some really important questions in here for you to kind of ask within your organization.

So for instance, who in the company is responsible for managing the domain portfolio? And that is, believe it or not, a question I have asked. I will tell you out of every 10 in-house counsel or general counsel I ask this question, I would say it's about 4 in 10 know the answer to that. It's surprising to me. And they kind of go, "I think it's IT," or, "I think it's marketing," or, "This guy brought me a problem once, so it must be him."

But that's a really important question, because when a breach does happen, okay, and you need to gain control of a domain, shut down the DNS, whatever, it's going to be really important to know who in your organization is the person managing that portfolio. And they're important for a number of other reasons, but nothing like crisis management to really bring clarity.

Also, do you have just one domain name registrar, or do you buy domain names from many registrars? That's something, believe it or not, many companies also don't know the answer to. They might have like a primary registrar that they work with, but they know that their advertising agency gets domain names for them sometimes, or they know that maybe their subsidiary in Asia kind of does their own thing, or maybe their subsidiaries in South America do their own thing or Africa. So they kind of have some pockets within their organization, or even departments within their organization, that they kind of know do their own thing. It hasn't been a problem so far, so they just kind of let it continue to go.

Well, in this age of, again, heightened liability, regulatory liability and risk, not only to your organization but your client's data, that really is no longer going to be acceptable to have that kind of view of things.

So you need to understand who you're doing business with, and you need to know exactly who they all are. And I would strongly encourage you to consolidate, because when crisis does happen, the last thing you want to do is try to go figure out where that domain name sits, who it sits with, what login you need. It's there's no time for those types of questions or issues when crisis hits.

You also need to know, how long have they been in business? Is it one of those things where, in the domain industry, it's really been an issue of convenience, price. There's a lot of people registering domain names on their own personal credit cards and then expensing them. It's been really more about speed, convenience. I like their portal. I got it really cheap. Those types of considerations have been really what, in some cases, have driven kind of the purchasing behavior.

But this is an area that needs significantly to be buttoned up. So you want to look and make sure that they're accredited and understand for how long, how long have they been in business, what's their financial condition. Have they given you a certificate of insurance? Do you have an MSA in place with them? Do you have a copy of that MSA? Do you know what kind of capital liability you have or what your rights and obligations are?

What about how many people in your company have access to those registrar portals? What about the passwords? Where are they stored? How are they stored? Who has access to them? You can see one question just kind of leads to another question.

But when you really sit down and think about it, you're probably saying, "That makes a lot of sense. That is probably something." We do that with every other vendor that we do business with, and here we have a situation where our business is very dependent on the online world. Email, like I said, all the different things that your business operates, more than just websites. And there's a big kind of I would say cloud over exactly what the details are here.

You should also be looking at things like, is two-factor authentication required to log in? What other types of authentication do they offer, things like IT validation, single sign-on. What about other security features or policies?

Also, what's the reputation of that registrar? Are they considered enterprise-class? Have they been hacked in the last three years? How about security certifications? Have their systems undergone penetration testing in the last 12 months? Do they conduct background checks on their employees? How are their staff trained? What controls are in place to protect against social engineering?

What's the support model? Do they offer 24 by 7, 365? Because we all know bad things don't happen nine to five. So you need to know what's that support model. Is there support offered? Is it a call center? Is it a live person? Is it somebody who speaks your language? Is it in your time zone?

These are all the questions that, again, when you kind of sit back and think about it, are very common sense, but something that, as I mentioned, probably 4 in 10 counsel really could not answer most of these.

So you want to know who you're doing business with, and you want to make sure that they are legitimate and enterprise-class and really care for the business that you do with them the way you care for the business you do with your own customers. Because at the end of the day, if something happens and it's as a result that you didn't take the necessary precautions, we kind of talked about, making sure you have the necessary controls in place that are commensurate with the risk, this is a huge risk area. If you haven't taken the proper precautions, you can see how third-party liability can become a big issue for you potentially.

Now, you've probably heard the phrase "it takes a village," and on the domain side, it does take a village. There's not just the domain name you need to worry about and kind of that partner that you're working with to buy those domain names globally, but there's also the DNS infrastructure that kind of runs your website, your email, etc. on the internet. And that infrastructure, the questions around that infrastructure are very much in line with the same questions that you would ask around your registrar partner. You want to make sure that they are of the level of the kind of enterprise nature that you are.

You do not want to use free DNS for real important websites or email. That's a big problem. You get what you pay for. You also want to make sure that you have your password secured, that you are really clear on who has access to those passwords.

And another big thing, in both the registrar context and the DNS context here, the DNS infrastructure context, is what happens when somebody leaves your organization? Are you shutting down their access? Because many of these portals are web-based portals that people can go into to update things.