Two cybersecurity experts arrested during a sanctioned security assessment at the Dallas County Courthouse have reached a $600,000 settlement with Dallas County, Iowa, and its former sheriff, closing a legal dispute that lasted more than five years. The case has become a reference point in discussions around how law enforcement and public institutions handle legitimate cybersecurity operations.
In September 2015, Gary DeMercurio and Justin Wynn, then employees of cybersecurity firm Coalfire, were contracted by the Iowa Judicial Branch to conduct security testing at multiple state facilities. The scope included evaluating physical access controls at the Dallas County Courthouse in Adel, Iowa.
Upon arrival, the cybersecurity testers found the courthouse’s front door unlocked. To properly assess the alarm system and response procedures, they closed the door to activate the alarm and then reopened it using a plastic cutting board, an accepted physical penetration testing technique, triggering the alarm as intended under the contract.
Cybersecurity Experts Arrested: Law Enforcement Response
Officers from the Adel Police Department and the Dallas County Sheriff’s Office responded within minutes. Body camera footage shows Wynn explaining the situation and presenting official authorization documents.
“What are you doing in our courthouse with the alarm going off, sir? The state testing security hires us. Here’s our paperwork, here’s our IDs, go ahead and run us, we’ll just hang out,” Wynn said.
Despite the documentation, the situation escalated after former Sheriff Chad Leonard arrived.
“Well, yeah, they’re going to jail,” Leonard said, according to body camera footage.
The two cybersecurity experts were handcuffed, arrested, and booked into the Dallas County jail, where they were held for nearly 20 hours. All charges were later dropped.
Professional and Personal Impact
Although no criminal charges remained, the arrest had lasting consequences. Publicly released mug shots affected professional credibility and employment opportunities.
“You see somebody in a mug shot, dude’s guilty,” Wynn said. “That has lasted with us in our personal lives and professional opportunities.”
The incident ultimately led DeMercurio and Wynn to leave their employer and later form Kaiju Security, rebuilding their careers independently.
Settlement Reached After Five Years
This week, the parties reached a $600,000 settlement, formally resolving the civil case. DeMercurio emphasized that the outcome affirmed their original position.
“We told you from the get-go that we didn’t do anything wrong,” he said.
Both men stressed that the case highlights systemic misunderstandings around cybersecurity testing in public institutions.
“If Iowa doesn’t revisit how it handles this, it’s going to remain vulnerable,” one said.
The situation underscores the risk of discouraging legitimate security assessments at a time when public-sector systems face cyber threats.
County Position Going Forward
Dallas County Attorney Matt Schultz issued a firm statement following the settlement.
“I am putting the public on notice that if this situation arises again in the future, I will prosecute to the fullest extent of the law.”
The Dallas County case illustrates the consequences of misaligned expectations between cybersecurity professionals and law enforcement. As governments rely more heavily on penetration testing to secure critical infrastructure, the arrest of authorized cybersecurity experts remains a direct example of how procedural failures can undermine broader cybersecurity goals.
Source link