Case Study 1: The Coalfire Iowa Courthouse Arrest — When Authorized Testing Goes Wrong

Background

In September 2019, the cybersecurity firm Coalfire Labs was engaged by the Iowa Judicial Branch to conduct a comprehensive security assessment of court buildings across the state. The engagement was part of a broader effort to evaluate the physical and electronic security of Iowa's judicial facilities, and it included both traditional cybersecurity testing and physical penetration testing — testing the physical security controls that protected courthouses from unauthorized entry.

Coalfire is not a fly-by-night operation. Founded in 2001 and headquartered in Westminster, Colorado, the firm is a well-established cybersecurity company with hundreds of employees, multiple offices across the United States, and a reputation for high-quality work. Their clients include major corporations, government agencies, and organizations in regulated industries. The testers assigned to the Iowa engagement were experienced professionals who had conducted numerous physical penetration tests before.

The engagement was authorized by the State Court Administrator's Office, the administrative body responsible for managing Iowa's judicial branch. Coalfire had a signed contract, a statement of work that included physical penetration testing, and a letter authorizing their activities. The testers — Justin Wynn and Gary DeMercurio — carried copies of this authorization letter, as standard practice dictates.

The Incident

On the night of September 11, 2019, Wynn and DeMercurio approached the Dallas County Courthouse in Adel, Iowa. Their objective was straightforward: test the building's physical security by attempting to gain unauthorized entry, document their findings, and report back to the Iowa Judicial Branch.

The testers found a door that they could open. Upon entering the building, they triggered a burglar alarm. This was expected and even desirable — triggering alarms is part of testing whether alarm systems function correctly and whether the response is adequate.

What happened next was not expected. Dallas County Sheriff's deputies responded to the alarm and confronted the two testers inside the courthouse. Wynn and DeMercurio identified themselves as penetration testers and presented their authorization letter from the Iowa Judicial Branch.

The deputies were not persuaded. From the sheriff's perspective, two men had broken into the county courthouse in the middle of the night. The authorization letter was from the State Court Administrator's Office, but the courthouse building itself was owned by Dallas County, not the state. The sheriff's office did not recognize the state court administrator's authority to authorize entry into a county-owned building.

Wynn and DeMercurio were arrested and charged with third-degree burglary — a class D felony in Iowa, carrying a potential sentence of up to five years in prison. They were booked, photographed, fingerprinted, and jailed. The charges were not dropped immediately; they persisted for months, casting a shadow over the testers' careers and personal lives.

The Legal Dispute

The core legal question in the Coalfire case was deceptively simple: who had the authority to authorize entry into the courthouse?

The Iowa Judicial Branch argued that as the primary occupant and user of the courthouse, the State Court Administrator had the authority to authorize security testing of the facility. The contract between Coalfire and the Judicial Branch was valid, the testing was within scope, and the testers had acted in good faith.

Dallas County argued that the courthouse building was county property. The county owned the building, maintained it, and was responsible for its security. The State Court Administrator did not have the authority to authorize third parties to enter county-owned property in the middle of the night, any more than a tenant in an apartment building could authorize someone to break into the building's lobby.

This dispute highlighted a fundamental ambiguity that many penetration testing contracts fail to address: the difference between the client who commissions the test and the owner of the property being tested. In corporate environments, this distinction is often clear — the company that hires the penetration tester typically owns or controls the systems and facilities being tested. But in government contexts, where multiple layers of government may share authority over a single facility, the lines of authority can be blurred.

Resolution and Aftermath

The criminal charges against Wynn and DeMercurio were eventually resolved through a plea agreement in which the felony charges were reduced to misdemeanor trespass, and the testers were sentenced to community service. The Iowa legislature subsequently passed legislation clarifying the authority of the State Court Administrator over courthouse facilities, and the Judicial Branch revised its procedures for authorizing security testing.

Coalfire, for its part, publicly discussed the incident as a cautionary tale for the security industry. The company emphasized the importance of verifying authorization at every level — not just from the client, but from every entity that has ownership, control, or jurisdictional authority over the assets being tested.

Lessons for Penetration Testers

Lesson 1: Authorization Must Come from the Right Authority

The most important lesson of the Coalfire case is that authorization must come from someone who actually has the legal authority to grant it. This seems obvious in retrospect, but in practice, determining who has that authority can be surprisingly complex.

Before accepting a physical penetration testing engagement, ask these questions: - Who owns the building or property? - Who leases or occupies the building? - Are there multiple tenants or occupants? - Is the property subject to shared governance (as in the Iowa courthouse case)? - Are there security guards, building management companies, or other third parties who control access? - What jurisdiction does local law enforcement have over the property?

Lesson 2: Notify Law Enforcement Before Physical Tests

While not always required or desirable (notification can compromise the test's realism), failing to notify law enforcement of physical penetration testing creates significant risk. If an alarm is triggered and police respond, the situation can escalate rapidly.

Best practices include: - Discuss with the client whether to notify law enforcement in advance. - If notification is given, ensure it includes specific dates, times, and locations. - If notification is not given, ensure the authorization letter includes a 24/7 contact who can confirm authorization to responding officers immediately.

Lesson 3: The Authorization Letter Is Not a Magic Shield

Wynn and DeMercurio had an authorization letter and presented it to the sheriff's deputies. It did not prevent their arrest. An authorization letter is evidence of authorization, not a guarantee against prosecution. Its effectiveness depends on: - Whether the person who signed it had the authority to do so - Whether the responding officers accept it at face value (they are not required to) - Whether the scope of the letter covers the specific activities in question

Lesson 4: Physical Testing Carries Unique Legal Risks

Physical penetration testing involves entering buildings, bypassing security controls, and interacting with people — activities that can trigger not just computer crime statutes but also trespass, burglary, breaking and entering, and even assault charges (if a physical confrontation occurs). The legal risks are qualitatively different from remote cybersecurity testing, and the consequences of a misunderstanding are far more immediate and personal.

Lesson 5: Document Everything and Cooperate

When confronted by law enforcement during physical testing, the testers should: 1. Remain calm and comply with all instructions 2. Identify themselves and their purpose immediately 3. Present the authorization letter 4. Provide the emergency contact number for someone who can confirm authorization 5. Do not argue, resist, or attempt to leave 6. Document the encounter as soon as possible afterward

Discussion Questions

1. If you were drafting the authorization letter for the Coalfire engagement, what additional elements would you include to prevent the situation that occurred?

2. Should penetration testing firms require clients to provide evidence that they have authority over all assets in scope, rather than relying on the client's representation? What would this process look like in practice?

3. How does the Coalfire case change your understanding of the "get out of jail free" letter concept? Is the term misleading?

4. The Iowa legislature passed legislation to clarify the authority of the State Court Administrator after this incident. Draft a model provision that could be adopted by other states to address similar ambiguities.

5. If you were Coalfire's CEO, what changes would you make to the firm's policies and procedures in response to this incident?

Connection to Course Themes

This case study directly illustrates the Authorization/Legality theme that runs throughout this textbook. The Coalfire incident demonstrates that authorization is not binary — it exists on a spectrum of specificity, and gaps in authorization can have severe consequences. It also illustrates the Human Factor theme: the situation escalated not because of a technical failure, but because of a gap in communication and understanding between multiple human actors (the state court administrator, the county sheriff, and the testers themselves).