The dispute in Oyens Feed & Supply Co. v. Primebank began after a farmer who operated a farrow-to-finish hog facility declared bankruptcy. The farmer’s primary lender asserted priority liens over all of the farmer’s assets, including his livestock. The farmer’s feed supplier asserted that it had a priority lien up to the value of the feed that the farmer purchased to maintain his livestock.

These parties have already been to the Iowa Supreme Court. The parties’ first trip to the Iowa Supreme Court, covered by this blog in 2012, resolved whether the feed supplier’s lien was superior to the bank’s lien. The Iowa Supreme Court concluded that the feed supplier lien had priority to the extent of the value added to the livestock by the feed supplier’s feed. After issuing its decision the Iowa Supreme Court sent the case back to bankruptcy so the parties could apportion the farmer’s remaining cash between the bank and feed supplier.

The parties, however, were unable to agree how to divide approximately $340,000. The bank asserted that the feed supplier had failed to perfect its lien. The bank claimed that in order for a feed supplier to obtain a priority lien, Iowa Code § 570A.4(2) requires feed suppliers to file a financing statement within 31 days after the farmer purchased feed. The feed supplier had only filed two financing statements. The feed supplier asserted that these two financing statements were sufficient to cover the entire value of the feed sold to the farmer over the course of at least a year.

The Iowa Supreme Court disagreed, ruling that under Iowa law a feed supplier lien only has priority over a bank’s lien for feed sold within 31 days of each financing statement that the feed supplier files. As a result, since the feed supplier only filed two financing statements the feed supplier only had priority over the bank for feed sold to the farmer in the 31 days preceding the filing of each of the financing statements.

The second issue the Iowa Supreme Court decided dealt with the amount of the feed supplier’s lien. Iowa law only gives the feed supplier a lien to the extent of value added by the feed. However, in this case the farmer’s farrow-to-finish operation meant that hogs were born on the farm and raised until they could be sold.

The bank argued that the feed supplier’s lien should not cover the entire value of the hogs. According to the bank there are certain fixed costs that are involved in the “acquisition” of each new hog. For example, the farm had to have buildings for the hogs to live in, so the cost of the buildings, per hog, should be deducted from the value of the feed supplier’s lien.

The Iowa Supreme Court rejected the bank’s argument. The Iowa Supreme Court ruled that in a farrow-to-finish operation the feed supplier lien can be up to the entire value of the hog.

The Iowa Supreme Court’s decision means that in a farrow-to-finish operation feed suppliers have the ability to obtain a lien for the entire value of the livestock on the farm if the feed supplier timely files financing statements. This means that banks that lend money to livestock operations need to ask questions about the nature of the operation and regularly check to see if there are any outstanding feed supplier liens.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

The rule states that a party opposing summary judgment may not manufacture a material fact issue simply by filing an affidavit that directly contradicts prior testimony. A contradictory affidavit must be rejected, where the contradiction is unexplained and unqualified by the affiant.

In the Estate of Dedrick, the widow had previously testified in a criminal case against Dr. Baldi, the defendant in the later wrongful death suit. Excerpts of the criminal trial transcript were included in the summary judgment record to address the factual question as to whether the widow knew or should have known the causal connection between Dr. Baldi’s care and the decedent’s death.

In resisting a motion for summary judgment, the widow filed an affidavit stating that to the best of her “knowledge, recollection, understanding[,] and belief,” she did not discover Dr. Baldi might have caused or contributed to her husband’s death until less than two years before the petition was filed.

The Iowa Supreme Court concluded that the affidavit did not create a genuine issue of material fact and did not preclude summary judgment, because the affidavit contradicted her earlier sworn testimony.

The ruling included three caveats. First, the contradictory affidavit rule is not limited to affidavits characterized by fraud or malfeasance. Second, the contradictory affidavit rule is inapplicable if the affiant offers a reasonable explanation for any apparent contradiction between the affidavit and other sworn testimony. Third, to invoke the rule, “the inconsistency between a party’s deposition testimony and subsequent affidavit must be clear and unambiguous.” The widow’s affidavit clearly and unambiguously contradicted her earlier sworn testimony in the criminal case against Dr. Baldi, and, thus, could be rejected.

Most courts applying the contradictory affidavit rule do so when the plaintiff provides deposition testimony and a contradictory affidavit in the same case. The Iowa Supreme Court, however, applied the rule when the previous testimony was presented at trial in a different proceeding, as long as the two proceedings feature a common factual nucleus and the same person provides both the earlier testimony and the later conflicting affidavit.

The adoption of the “contradictory affidavit rule” should further streamline the litigation process by allowing the trial courts to more often grant motions for summary judgment.  For further questions regarding commercial litigation, contact Mollie Pawlosky.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

The case follows what is becoming a familiar pattern. A county hospital in Washington state had several bank accounts at Bank of America. Bank of America offered the hospital the ability to initiate ACH transfers online through an internet module.

Over the course of two days hackers accessed the hospital’s bank accounts through malware installed on a hospital employee’s computer. The hackers used their access to transfer over $1,000,000 out of the hospital’s accounts. When the hospital identified the fraud it asked Bank of America to reverse the transactions, but only a portion of the funds could be recovered.

According to the court, before an ACH transfer from the hospital’s accounts could occur the following steps had to be completed:

1. The module created a digital fingerprint of each computer that accessed the online module. If the system did not recognize the computer then it would issue a challenge question for the user to answer.
2. A digital certificate was installed on approved computers. Computers without the digital certificate would be denied access.
3. The system would generate a fraud score based on login patterns and would identify high-risk logins for further review.

The parties disputed whether the following security procedures were also required:

1. The system denied transfers if there was a $0 balance in the account.
2. A call back procedure that required the bank to call the account holder before approving transactions.
3. Transfers could be reversed within 24 hours of authorization if the account holder requested reversal.

Bank of America and the hospital disputed the efficacy of the security procedures outlined above, and which parts of the procedures the parties had actually agreed to implement.

The dispute in the case centered on whether the hospital and Bank of America had agreed to use a commercially reasonable security procedure to verify the authenticity of ACH transactions through the online system. If Bank of America and the hospital agreed to a commercially reasonable procedure, and the bank followed it in good faith, then the hospital was liable for the loss. The hospital vigorously disputed that it had agreed to a procedure that was commercially reasonable.

The court did not decide whether the procedures above were commercially reasonable or not. The court instead required the parties to proceed to trial where the court would resolve the factual disputes, and then rule on the commercial reasonableness of the procedure. After the court’s ruling requiring the case to go to trial the parties settled, so we won’t know whether a court would find the security procedures outlined above commercially reasonable.

Banks have the potential to shift liability for certain fraudulent wire and ACH transfers to account holders. To do so the bank must (1) develop a commercially reasonable security procedure, (2) agree with its account holders to implement it, (3) comply with the procedure for every ACH and wire transfer, (4) and act in good faith when accepting ACH and wire transfer orders from account holders. This blog has covered the recent increase in email ghosting attacks, malvertising, and email phishing attacks. These threats mean attacks like the one in Washington will continue. Banks should review their online money transfer systems and account holder agreements to determine whether they have the option to shift liability to account holders. Otherwise, banks may be forced to reimburse account holders for losses of hundreds of thousands of dollars.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

In Abernethy v. Schmitt, No. 15-0661 (May 11, 2016), the Iowa Court of Appeals agreed with Schmitt. A contract to pay at a particular place does not amount to a requirement that performance was to occur at that place. Thus, the venue was not dictated by the place of the contract’s performance—the place of performance was not stated.

Rather, the Court of Appeals applied Iowa Code section 616.17, “Personal actions, except as otherwise provided, must be brought in a county in which some of the defendants actually reside.” Breach of contract suits, as personal actions, are governed by Section 616.17. As Schmitt resided in Woodbury County, his motion to change venue should have been granted.

Moreover, pursuant to Iowa Rule of Civil Procedure 1.808(1), “the [district] court shall order the change of venue at plaintiff’s costs, which may include reasonable compensation for defendant’s trouble and expense, including attorney’s fees, in attending in the wrong county.”  Thus, the court in Schmitt should have considered granting Schmitt’s request for attorney’s fees, including time spent on the appeal.

The lesson to contracting parties that wish to litigate in a certain venue is to have the contract specifically state where performance is to occur. Alternatively, contracting parties should be ready to pursue collections suits in the county where the defendant resides.

For questions regarding Abernethy v. Schmitt, No. 15-0661 (May 11, 2016) or commercial litigation, contact Mollie Pawlosky.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

Golden is the continuation of First American Bank v. Urbandale Laser Wash, LLC. After the judgment in First American Bank was affirmed on appeal, the bank obtained partial satisfaction. The bank then sought to recover the remaining $1.5 million in judgment debt, and initiated proceedings auxiliary to execution.

Golden then sought certiorari to the appellate court, arguing that the trial court abused its discretion in allowing broad discovery to proceed against the debtor’s wife and Golden Enterprises, a jointly owned limited liability company, neither of which was bound by the judgment. The bank served numerous subpoenas for depositions and documents from the debtor’s spouse and Golden, which appeared to have been restructured during the pendency of the foreclosure.

The Court of Appeals recognized that the district court “enjoys wide discretion in its rulings on discovery issues.” Iowa Code section 630.5 provides that witnesses may be required to appear and testify during post judgment proceedings. The Iowa Rules of Civil Procedure allow for a liberal construction of the rules for providing discovery; the court may grant a protective order to limit discovery only when good cause is shown; and reasonable steps must be taken to avoid imposing undue burden on subpoena recipients. However, a protective order will not issue simply because the recipient claims that compliance would result in undue burden or expense; burdensomeness must be shown.

In this context, the Court of Appeals ruled that the trial court had not abused his discretion. The information requested was relevant to the bank’s ability to determine what assets would be available for execution and which were not subject to execution because owned by the wife or the entity. In reaching this decision, the Court of Appeals specifically noted that Golden had been restructured during the foreclosure. Neither the spouse nor Golden had shown that good cause existed to issue a protective order; no specific evidence concerning the time or expense for compliance was offered, and no privacy interests of truly disinterested parties were implicated.

If the wife and Golden had offered evidence as to the time and expense required to comply, the result may have been different. Thus, Golden reminds creditors that their reasonable collection efforts will usually be allowed by the courts, and debtors and affiliated parties asserting burdensomeness will have to demonstrate a burden to succeed.

For questions regarding Golden Enterprises, LLC v. Iowa District Court for Polk County or commercial litigation, contact Mollie Pawlosky.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

On January 7, 2014, Grinnell State Bank filed suit to foreclose the Joneses’ real estate mortgage, seeking judgment in rem and in personam. The Joneses filed their answer on February 14, 2014. On February 24, 2014, the bank moved for summary judgment, and the Joneses did not resist.  On April 8, 2014, the court entered a decree of foreclosure, and the bank proceeded to a special execution. On April 25, 2014, the Joneses’ attorney was suspended from the practice of law. The bank was the successful bidder at the sale and received a Sheriff’s Deed on June 10, 2014.

The debtors hired new counsel, and on September 19, 2014, the debtors filed a motion to dismiss the foreclosure action, arguing that the suit was barred by issue preclusion, claim preclusion, res judicata, and/or collateral estoppel, all arising from a foreclosure suit that the bank had filed on June 4, 2013, but for which decree, on January 3, 2014, the bank had filed a notice of rescission, pursuant to Iowa Code section 654.17.

Although the trial court addressed the merits of their issue-preclusion claim, the Court of Appeals addressed only the timeliness of the motion to dismiss. Iowa Rule of Civil Procedure 1.441(1) states, “Motions attacking a pleading must be served before responding to the pleading or, if no responsive pleading is required by these rules, within 20 days after the service of the pleading on such party.” The Court of Appeals held, “The Joneses moved to dismiss the petition more than seven months after filing their answer. The motion to dismiss—which was filed more than eight months after the petition, seven months after the answer, five months after the foreclosure decree, and three months after the property was sold at auction—was clearly untimely.”

On appeal, the Joneses for the first time argued that their untimeliness was excusable, because they “were essentially unrepresented” when their prior attorney was suspended from the practice of law “unbeknownst to [them].” However, because the Joneses “failed to request an extension of time for filing their motion to dismiss and never claimed excusable neglect in the district court,” the Court of Appeals could not consider the claim for the first time on appeal. The Court of Appeals, therefore, affirmed the denial of the motion to dismiss.

The Joneses’ arguments are confusing; although their attorney was, in fact, suspended, the suspension occurred after the attorney had filed an answer on the Joneses’ behalf—thus, it is unclear how the attorney’s later suspension could have constituted “excusable neglect,” especially when the attorney had filed an answer. In any event, Grinnell State Bank v. Jones provides a good example of the importance of clearly stating all arguments before the trial court, and making sure that the trial court addresses all arguments, so that the appellate court finds that error has been preserved.

For questions regarding Grinnell State Bank v. Jones or commercial litigation, contact Mollie Pawlosky.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

This blog has previously discussed the risks posed by email ghosting—an alternative term for BEC scams. In this kind of attack, cyberattackers will either create a spoof email address that closely mirrors a real email address of a member of an organization, or infiltrate a company’s email system. In either case the cyberattacker’s goal is to send emails that convince employees to disclose confidential information or initiate a funds transfer to the cyberattacker’s bank account.

The FBI released some startling statistics about the prevalence of this kind of attack:

• Law enforcement globally has received complaints from victims in every U.S. state and in at least 79 countries.
• From October 2013 through February 2016, law enforcement received reports from 17,642 victims.
• This amounted to more than $2.3 billion in losses.
• Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss.
• In Arizona the average loss per scam is between $25,000 and $75,000.

Organizations may find that when one of these attacks causes financial loss there is no source of recovery. For example, this blog has discussed how employee conduct could prevent claims to insurers. If an employee is fooled by one of these attacks and sends money to cyberattackers an insurance carrier might not be legally obligated to reimburse the organization.

Banks may also not be required to reimburse an organization if the bank did everything it was supposed to do. This blog has extensively discussed the rules governing liability for businesses after a cyberattack. If an email ghost convinces an organization’s accountant to wire funds abroad and the accountant provides all of the required authentication information to the bank then the bank will likely not be obligated to reimburse for a cyberattack.

Email ghosting scams can take advantage of employees’ tendency to follow instructions, so it is important to make sure that every organization has developed policies and procedures that will help mitigate the risk posed by email ghosting scams. For example, organizations can require employees to confirm orders to send money with a phone call. The FBI recommends that organizations report any examples of these and other kinds of cyberattacks to the FBI’s Internet Crime Complaint Center. Organizations should identify the weak points in their hierarchy to determine whether an email ghosting scam could succeed.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

For many years ATMs were unattractive targets for cyberattackers because ATMs often used proprietary software developed by each ATM manufacturer. ATMs were also difficult to hack because many were not easily accessible online, so an attack would require someone to physically access the computer in the ATM to load malware.

Two changes have made ATMs much more attractive targets. The first change was standardization of ATM operating systems. A majority of the 3 million ATMs in operation worldwide still run a version of Windows XP or Windows XP Embedded. Some ATMs run on even older Windows operating systems. Standardized operating systems mean that malware developed to exploit a security flaw can take advantage of many more ATMs.

The problem for banks is that many of these operating systems are now outdated. Microsoft discontinued support for Windows XP on April 8, 2014, and for Windows XP Embedded on January 12, 2016. This blog has previously explained the importance of regularly updating software. Microsoft’s decision to discontinue support for ATM operating systems means that those systems will no longer receive updates in response to security holes that cyberattackers identify. Any security flaw that existed in an ATM operating system as of the date that service was discontinued will exist as long as that ATM still relies on that operating system.

The second change that made ATMs more attractive to cyberattackers was the rise of third-party services that give banks the ability to manage ATMs remotely. This so-called “middleware” gives cyberattackers a new vector that they can exploit to access ATMs remotely.

Consequently, according to Trend Micro and EC3, attacks on ATMs increased 15% from 2014 to 2015 in Europe. Statistics were not available for the United States, but there is no reason to think that there are fewer instances of fraud in the United States than in Europe.

Cyberattackers are currently experimenting with a variety of malware that can compromise ATMs. The most common attacks will either cause an ATM to “jackpot”—dispense all of the currency from its safe—or turn the ATM into a card skimmer that records and transmits to cyberattackers card and pin numbers.

As with any new cyberthreat, there is not one solution that will protect ATMs. However, there are several industry recommendations supported by Trend Micro and EC3:

1. The ATM has two distinct compartments: the PC and the safe. Each section should be accessible by different maintenance employees and should require different customized sets of lock keys.
2. Each set of keys should not be easily accessed by anyone and, ideally, they should be specific for each ATM. Ideally, the PC compartment should be made as secure as the safe box.
3. Implement BIOS passwords which should be changed after every time it’s accessed by maintenance staff.
4. The hard drive of the ATM PC needs to be encrypted and checked for integrity to detect changes.
5. The initial hardware communication between the PC and the cash dispenser needs to be authorized and encrypted. This is to prevent rogue hardware devices communicating with the cash dispenser.
6. All firmware running on any hardware devices on the ATM PC should not be susceptible to a version downgrade or rollback. Firmware upgrades should require special authorization via encryption keys or other secure means.
7. There has to be a clear policy on how and when the software in use is to be updated or upgraded. Make sure the update process never shows vital information on-screen, like usernames, IPs, file system paths, passwords, etc.

ATM attacks are likely to increase in the coming years, particularly if there is no concerted effort to update ATM operating systems. Banks should be mindful of the risks and take appropriate steps to mitigate those risks.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

An equitable mortgage is a lien on property to secure the payment of money that lacks the essential features of a legal mortgage. Iowa courts have long recognized that a conveyance, absolute on its face, may, by proper evidence, be shown to be a mortgage.

In determining whether a conveyance or mortgage was intended, the court decides each case on the totality of its own facts. The court may look beyond the instrument itself and at the parties’ relationship in order to determine the parties’ intent. The ultimate question is whether the parties intended for the deed to serve as security for an obligation; if they did, the court will convert the transaction into a mortgage by operation of law. The grantor must show by clear and convincing evidence that the parties intended for the deed to be a mortgage.

The factual background of Brownlee was complicated; multiple entities were involved, and the parties had engaged in transactions other than the transaction scrutinized by the court. In this complicated factual scenario, the Court of Appeal considered several factors suggesting that the parties intended only a security agreement.

First, the Court of Appeals recognized that inadequate consideration tends to show that the transaction was intended to be a mortgage; in this case, the Brownlees transferred their property to the James D. Jamison Irrevocable trust for $1.8 million, but shortly thereafter, the Jamison Trust sold the property to a third party for $3.25 million. Another indicator the parties intended a mortgage is that the grantor retains possession of the property. The grantor’s retention of possession is consistent with the claim of creditor-debtor relationship and inconsistent with the theory of absolute conveyance. Here, the Brownlees retained possession of the property. Another circumstance evidencing a security interest rather than a conveyance is the creation or existence of a debtor-creditor relationship. Here, the Jamisons Trust had a creditor-debtor relationship with the Brownlees. The right to redeem the property is another circumstance that shows the parties intended a mortgage. If the deed was intended as security, settled law affords the mortgagor the right to redeem. Here, the Brownlees had the right to repurchase the property, on certain conditions.

On the other hand, there was also evidence that the parties intended an absolute conveyance. First, the Jamison Trust was a third party and was not a party to the prior agreements. Second, the Jamisons argued there was no landlord-tenant relationship and that there was no debtor-creditor relationship between the Brownlees and the Jamison Trust.

After considering each of the factors, the Court of Appeals reiterated that the ultimate inquiry in determining whether the parties intended a mortgage or conveyance is the parties’ intent.  Given the “rather unique circumstances of this case,” including the complicated transactional history, the interconnectedness of the defendants and their business operations, and the convictions of the Brownlees for forgery related to the financing of the farming operation, the Court of Appeals could not conclude that the Brownlees established the existence of an equitable mortgage as a matter of law. Thus, the Court of Appeals reversed the district court’s grant of summary judgment and remanded for further proceedings.

Brownlee provides several clear examples of the kinds of evidence that a court will consider in deciding whether to convert a deed into an equitable mortgage. For questions regarding Brownlee v. Jamison or regarding estate mortgages in general, contact Mollie.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

So-called ransomware attacks are on the rise. It was recently reported that a California hospital had its systems hijacked and was forced to pay a ransom in order to retrieve all of its data. Hackers allegedly demanded over $3 million for the return of the hospital’s data. However, it was later reported that the amount the hospital paid was closer to $17,000. Nevertheless, the hospital was in a tight spot because it apparently failed to sufficiently back up its data, so it was completely beholden to the hackers.

The breaches at major websites like MSN and the New York Times, with their millions of daily page views, are particularly dangerous. Malvertising is insidious because it does not necessarily require users to click on an ad in order to download malicious software. These “drive-by” attacks can occur in the background of a computer’s normal operations, so the user may not be aware that their computer is being compromised.

One of the most significant steps an organization can take to guard against these kinds of attacks is making sure their software is up to date. The recent attack at MSN and the New York Times is reported to have taken advantage of security flaws in Adobe Flash and Microsoft Silverlight.

This blog has previously discussed the importance of patching organization software to avoid known security flaws. This is one easy step organizations can take to minimize the risk of a ransom attack or a data breach.

This recent malvertising campaign also illustrates the risks that employees may cause when they access websites on organization computers. This blog recently reviewed a case where a bank was the victim of a cyber-attack involving over $485,000, and employee conduct almost prevented the bank from having insurance coverage.

Organizations need to be aware of the serious threat posed by all internet websites. Even mainstream websites can be platforms for the distribution of malicious software, so organizations need to make sure they are taking steps to minimize the risk of attack. Legal liability may depend on these actions.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.