Phillip Sitter and William Morris report and update on a case in Iowa where security researchers were arrested — for doing what they had been hired to do. Add this to any list of legal threats researchers face.
Dallas County is paying $600,000 to two men who sued after they were arrested in 2019 while testing courthouse security for Iowa’s Judicial Branch, their lawyer says.
Gary DeMercurio and Justin Wynn were arrested Sept. 11, 2019, after breaking into the Dallas County Courthouse. They spent about 20 hours in jail and were charged with burglary and possession of burglary tools, though the charges were later dropped.
The men were employees of Colorado-based cybersecurity firm Coalfire Labs, with whom state judicial officials had contracted to perform an analysis of the state court system’s security. Judicial officials apologized and faced legislative scrutiny for how they had conducted the security test.
Read more at Des Moines Register. Dan Goodin also reports on the case and settlement at Ars Technica.
In October 2019, DataBreaches had reported on the criminal charges, commenting at the time:
If Iowa doesn’t get its act together, businesses and government will have trouble getting security firms to analyze and test their security. Even after law enforcement was told that Justin Wynn and Gary DeMercurio were Coalfire employees just doing what Coalfire had been hired to do by the judicial branch, the men are still facing criminal charges. The charges were reduced from third-degree burglary (a felony) to trespass (a misdemeanor), but even that is totally absurd.
DeMercurio and Wynn filed their lawsuit in 2021, and the parties agreed to settle on January 23, just three days before the civil suit trial was to begin.
$600,000 for two men’s 6+ years of dealing with having been arrested, stress, and trouble finding work because of the criminal case and reputation damage? The arrests were disgraceful enough. Why didn’t the defendants settle this sooner? If the Sheriff and the Judicial Branch had a dispute over what the Judicial Branch did without consulting with or even notifying the Sheriff first, don’t take it out on the people who were doing what they were hired to do — and who had shown law enforcement the work order at the time they were arrested.
This never should have happened, but when it did, it shouldn’t have taken so many years to compensate the men help restore their reputation.
h/t, Risky Biz Newsletter