Supreme Court prohibits courthouse security test break-ins

The Iowa Supreme Court has issued orders to change the way the state court system conducts security assessments after two cybersecurity workers hired by state court administrators were arrested for breaking into the Dallas County Courthouse last month

DES MOINES, Iowa -- The Iowa Supreme Court issued an immediate order Thursday that prohibits physical break-ins of courthouses or entry outside of regular business hours by cybersecurity testers after two workers hired by state court administrators were arrested for breaking into the Dallas County Courthouse last month.

Chief Justice Mark Cady also ordered court administrators to confer with local officials on systems testing, all contracts to be reviewed by a lawyer and the court administrator to personally approve contracts with input from building security, sheriffs and others.

The move comes after Cady and court administrators were sharply criticized last week by lawmakers on the Senate Government Oversight Committee.

Two cybersecurity workers broke in to the Dallas County Courthouse in Adel after midnight on Sept. 11, where they were arrested after an alarm was triggered. They were taken to jail and later released on bond.

The sheriff has filed a complaint of third-degree burglary and possession of burglary tools, but the county attorney has yet to file trial information documents formally charging them, said their attorney Matthew Lindholm. The county has 45 days from their arrest to decide whether to pursue prosecution or dismiss the case. The burglary charge is a felony and carries a sentence of up to five years in prison.

Dallas County Attorney Chuck Sinnard did not immediately respond to a message.

Officials later found out the men had also entered the Polk County Courthouse in Des Moines and the state judicial branch building, which houses the Iowa Supreme Court, without being detected.

Information technology employees at the judicial branch had entered into a contract with Colorado-based cybersecurity company Coalfire to conduct tests on buildings and computer systems at county courthouses. Cady said it was "to ensure the court's highly sensitive data was secured against attack."

Outside law firm Faegre Baker Daniels was hired by state court officials to investigate the break-ins and issued a report Thursday . It concluded that there were misunderstandings over whether the contracts with Coalfire allowed physical testing of courthouses after business hours. The investigation found that contract language was ambiguous and there was a lack of management, oversight and proper supervision of the testing program.

Investigators did not find the court administrators or Coalfire acted with deception or ill-intent but concluded the greatest problem was that they failed to consider the potential impact on counties which provide security for their courthouses.

The report said it appears the state judicial system has authority to manage security of the areas it oversees inside county courthouses but it is unclear whether that extends to courthouse areas outside the courtrooms, jury rooms and judge's chambers.

An Iowa Supreme Court spokeswoman said any possible disciplinary measures are under review by the judicial branch human resources department.

At last week's meeting, Senate Government Oversight Committee Chairwoman Sen. Amy Sinclair asserted it was outside the scope of the judicial branch to authorize individuals to illegally break into facilities that they neither own nor provide security for.

Sen. Tony Bisignano called the break-ins a "covert stupid operation" that put law enforcement officers and the men involved in the break-ins at risk of harm.

Cady acknowledged at the meeting that mistakes were made and he apologized , taking full responsibility for the problems associated with the cybersecurity testing.

Sinclair and Bisignano did not immediately reply to messages seeking comment on Cady's orders and the report.