In a notable legal outcome, two security professionals, Gary DeMercurio and Justin Wynn, are set to receive $600,000 to settle a lawsuit following their wrongful arrest during an authorized security assessment of a county courthouse in Iowa in 2019.
The two men were employed by Coalfire Labs, a Colorado-based security firm, and had explicit approval from the Iowa Judicial Branch to conduct a series of “red-team” exercises. These exercises are designed to simulate security breaches using techniques that mimic those employed by real-world criminals. By testing the resilience of security measures, organizations can identify weaknesses and improve their defenses against actual threats.
A Chilling Message to Professionals
The incident has raised alarm within both security and law enforcement communities. Even with the legal authorization at their disposal, DeMercurio and Wynn faced serious charges, including felony third-degree burglary, and spent a harrowing 20 hours in jail before being released on bail. These charges were later downgraded to misdemeanor trespass, yet Dallas County Sheriff Chad Leonard continued to publicly claim that the men had acted unlawfully and deserved prosecution.
For security professionals, the potential repercussions of such incidents can be devastating. A tarnished reputation can severely hinder one’s career, and the looming threat of arrest for performing legitimate security assessments is understandably alarming for penetration testers and their clients alike. As Wynn poignantly noted, “This incident didn’t make anyone safer. It sent a chilling message to security professionals nationwide that helping [a] government identify real vulnerabilities can lead to arrest, prosecution, and public disgrace. That undermines public safety, not enhances it.”
The events surrounding DeMercurio and Wynn’s engagement at the Dallas County Courthouse on September 11, 2019, were relatively routine. After discovering an unlocked side door, they secured it to enhance the building’s safety. Unfortunately, their efforts triggered an alarm, leading to their swift arrest.
This case emphasizes the critical need for clear communication and understanding between security professionals and law enforcement. As cybersecurity and physical security threats continue to evolve, fostering an environment where security assessments are celebrated rather than criminalized is essential for the safety of the public at large.
For further details, you can read the original article Here.
Image Credit: arstechnica.com
