Invariably most businesses and public sector departments will tell you they are confident that their physical protection measures for data and documents are more adequate to counter most contingencies, but how justified is that confidence when the bulk of information coming from big name suppliers regarding the protection offered by fire and data safes, cabinets and strongrooms is less than reliable, and the procurement of such equipment usually happens in the absence of genuine expert advice.
- Are there accredited European certification documents providing a legal proof of standard to back-up the claimed physical security or fire resistance attributes of data safes, cabinets and rooms?
- In the case of magnetic data is the equipment certified for temperature and humidity limits that will protect magnetic data in an intense fire?
- Is the equipment certified against the kind of structural collapse that is likely to result from an intense fire?
- How is equipment intended to protect sensitive data, hard drives and other devices from fire, burglary or other threats sourced?
- If expert advice was sought on the procurement of physical data protection equipment and its suitability for various types of media before purchase, what were the qualifications of the source of that advice?
- Does all physical data protection equipment have at least one stamped metal certification plate from an accredited European certification body matching the fire and burglary standards required?
An expert understanding of accredited, certified, data safe, data cabinet and data room testing, and relevance of that certification in relation to risk and operation, is essential to avoid costly or even catastrophic mistakes. Considerations such as certification of fire resistance and burglary protection are just the starting point as different types of data media have varying degradation levels under a range of stress factors.
For example, humidity as well as temperature is a critical factor in preserving magnetic data in a fire, whereas paper documents have a far higher stress level, yet, it is often the case that safes or cabinets which may be barely suitable for storing paper documents, are being used in businesses and government departments to protect magnetic data and back-ups.
Accredited European Certification |
EU Parliament regulation 765/2008 created the system that provides the legal basis of accreditation for the burglary resistance certification of safes and cabinets to:
- European standard EN1143-1, the burglary resistance certification for safes
- European standard EN14450, the burglary resistance certification for cabinets
- European standard EN15659 the protection of paper documents from fire
- European standard EN1047-1 the protection of data from fire
These are the logos of the four certification bodies with accreditation to ISO IEC17065 to certify safes to European standards you will most likely encounter on a genuine certification plate in Ireland.
The ultimate protection against misrepresentation and a legal proof of standard of burglary and fire resistance, accredited European certification is the most important factor in maintaining insurance cover long term, as well as being the basis for all insurance rate recommendations in Europe. When there is a need to ensure regulatory compliance, for the storage of important legal documents or data, anything less than accredited European certification and the legal proof of standard it provides can leave an organisation or individual vulnerable. European accredited certification for safes and strongrooms is backed by regular auditing, market surveillance and is verifiable, proof of standard for both insurance and litigation purposes.
If you consider that 70% of safes tested for burglary resistance by accredited European testing labs fail on the first attempt the practical implications of accepting unaccredited claims of burglary or fire resistance are also obvious.
What Certified Physical Data Storage Certification Looks Like |
Certification for physical data storage will be indicated under standard EN1047-1 (Data).
Accredited European certification that a safe or cabinet is suitable to protect paper or data will always be displayed on a stamped metal plate on the inside of the unit's door. This information will never appear on a sticker.
Data certification is completely separate to any burglary resistance certification plate that a safe may have. There is absolutely no connection between the grade of a safe and the unit's fire resistance.The same information will be available on accredited certification documents which are freely available and should always be asked for.
An Example Of How Physical Data Security Procurement Can Go Very Badly Wrong |
Close up photos below show a very popular unit sold for fire protection of paper documents in Ireland known as the “Fire Chief”. This is one of fourteen units that was purchased by an enterprise for the protection of client documents and back-up data, some of which would fall under the GDPR. Procurement selected the unit based on several factors but low price and name recognition certainly came into it.
When Certified Safes Ireland™ were asked to examine the units by a senior member of the management team it was clear to us that rather than purchasing fire and burglary resistant data cabinets, the client had in fact purchased thousands of Euros worth of relatively expensive light steel storage cabinets with no accredited certified fire or burglary resistance whatsoever.
Our examination found the following:
- There was no indication anywhere on the cabinets of a claim the "Fire Chief” was fire resistant in any way.
- There were no fire protection strips or seals anywhere on the cabinets.
- Air gaps around door frames were so wide the locking bolts of the cabinet were clearly visible. These gaps would aid airflow for combustion rather than deny it as well as allowing the locking bolts to be cut in seconds with a battery powered angle grinder. (Photo below - left)
- The only mark found anywhere on the cabinets was an unaccredited sticker which claimed the units are S1 security cabinets, the lowest level of protection under European standards.
Obviously, metal cabinets with no accredited certified fire or burglary resistance is not what the procurement department of the business had in mind. The mistake meant that data and documents held by the organisation were not only at the same level of risk from fire as was the case before the purchase, but the information was not being stored in compliance with the groups GDPR risk assessment, opening up the possibility of sanctions, and even legal action if unlawful destruction was caused to third party data due to burglary or fire.
The fact remains however, that nowhere on the data sheet for the "Fire Chief” did the supplier make the claim that these units were certified for fire resistance. The only reference to “Fire Resistance” states, “Recommended for 30 minutes fire protection for paper records”, but as no accredited certification of fire resistance was referred to, this recommendation is simply the unsubstantiated opinion of the supplier, however misleading that may be.
Of course, it can't be denied that the name “Fire Chief” does give the impression that the unit is fire resistant in some way, but not in any way that matters. The only certification claim we could find was a claim that the cabinets were S1 Security Cabinet certified by Trezor Test in the Czech Republic. S1 is the lowest level of burglary resistance for a cabinet test with hand tools, but even this claim was unaccredited. The test time for an S1 Security Cabinet is 1.5 minutes.
A Warning On The NT FIRE 017 Test For Data |
NT FIRE 017 is a conformity assessment of Nordtest. Originally founded in 1973 under the Nordic Council of Ministers the emphasis of Nordtest is to develop, promote Nordic test methods and pre-normative activity. NT FIRE 017 is NOT a European Standard. Not being a European standard, NT FIRE 017 is not a legal proof of standard for litigation purposes in the European Union, but there are several other important differences in testing and application of the NT FIRE 017 mark that set it apart from European standards that consumers should also be aware of.
Particularly important to the preservation of digital data under European standards, there are strict parameters on permitted humidity levels inside a data safe or cabinet being tested, with relative humidity inside a tested safe or cabinet being measured both during testing and during a cooling phase after testing. NT Fire 017 doesn’t measure humidity at all during testing.
The first important difference between cabinets and safes marked NT Fire 017 and those certified under European standards is NT Fire 017 may be applied to units of identical construction to a tested unit, provided that the external volume of the untested units are not less than half of, and not more than twice the volume of the tested unit. In other words, in a series of five sizes only one unit may have been tested, something impossible under the European testing regime. This is why, unlike NT fire 017, a series of five sizes of safes or cabinets certified to European standards will usually have differing fire certification times, as might be expected, due to differing sizes and volumes.
There are also substantial differences between European standards and NT Fire 017 in the way temperature inside a tested unit is measured which to the casual observer may appear to produce a more favourable result for NT Fire 017. Everybody knows that if you heat a rectangular object that the internal corners of that object are likely going to heat more rapidly, and this is exactly where thermocouples are placed in European fire testing, however, in NT Fire testing thermocouples are placed in the centre of safe panels, an area that will likely heat last.
As NT Fire 017 has no defined method of marking tested units it leaves a manufacturer or supplier free to mark products in a variety of "creative" manners. In the case of the mark above, a facsimile of a plate appearing on a safe from a UK supplier, NT FIRE 017 appears on a stamped metal plate that is strikingly similar to an accredited European certification plate for a safe, with the word "safe" in block capitals in the left hand corner. A consumer might be forgiven for thinking that the plate below is both certifying that the product is a burglary resistant safe and is fire resistant, particularly as under the word "safe" the words "type tested and certified according to NT 017" appear with any mention of the word "fire". |
A Warning On Asbestos In Pre-2000 Data Safes |
AsbestosContrary to what most people might think, Asbestos was widely used in door seals on safes, fireproof safes, data safes and fireproof filing cabinets into the 1990s, while safes, document and filing cabinets that contain asbestos continue to be sold on the second-hand market in Ireland, even by well-known safe suppliers. The ban on asbestos in Ireland in 2000, far from seeing a reduction in the amount of safes and cabinets that contained asbestos instead saw a surge, as thousands of contaminated safes became available on the second-hand market as they were removed from all over Europe and the UK. Asbestos is a deadly carcinogen and is not only a danger to anyone who might use such a unit, but is also a life threatening danger to technicians, locksmith and fire fighters. Any safe manufactured before 2000 must be presumed to contain asbestos. |
European Fire Standards For Physical Data & Paper Documents |
Protection class quality characteristic for fireproof protection
European Standards EN1047-1, EN1047-2 and EN15659
Protection classes of products for the protection of data and systems | ||||
Product | Protection class | Certification | ||
Light fireproof unit | LFS 30 P | EN 15659 | ||
LFS 60 P | EN 15659 | |||
Data cabinet | S 60 P | EN 1047-1 | ||
S 120 P | EN 1047-1 | |||
S 60 D | EN 1047-1 | |||
S 120 D | EN 1047-1 | |||
S 60 DIS | EN 1047-1 | |||
S 120 DIS | EN 1047-1 | |||
Diskette insert | DI 60 P/DIS | EN 1047-1 | ||
DI 120 P/DIS | EN 1047-1 | |||
Data container | C 60 D | EN 1047-2 | ||
Data room | R 60 D Type A |
EN 1047-2 | ||
R 60 D Type B |
EN 1047-2 |
The abbreviations in the table stand for:
Certified Safes Ireland™ in-house advisor on keeping jewellery, watch collections, goods, cash, documents and data, safe, secure, yet readily accessible, is Alan Donohoe Redd.
Alan Donohoe Redd is a member of the European Committee for Standardisation (CEN) Working Group responsible for writing European Standards for safes, strongrooms (vaults), secure cabinets and physical data protection for the European Union and a member of the U.S. Underwriters Laboratories (UL) Standards Technical Panel TC72 covering standards for fire resistance of record protection devices. Alan is also a registered NATO supplier and a longstanding member of the European Security Systems Association. Alan has a vast range of experience spanning almost 40 years encompassing installation of safes, strongrooms, physical data protection, CCTV, alarms, access control, secure storage control systems and Sensitive Compartmented Information Facility (SCIF) specification, design and installation.
An expert on standards and fraud issues related to secure storage in Europe, the UK and the use of asbestos in European safe and cabinet manufacturing, Alan has had articles related to these subjects published by The Law Society Gazette and Irish Broker Magazine, has forced retractions of multiple false claims related to secure storage offerings to the public and has been pivotal in having misleading standards and practices recognised and withdrawn in Ireland, the UK and at a European level.
Alan's seminars on safes, strongrooms and high net worth secure storage have been part of Continuing Professional Development for underwriters and insurers having been awarded CPD points by the Insurance Institute of Ireland and the Chartered Insurance Institute (UK).
N.A.T.O. Europe, The U.S. Air Force (Europe), The National Treasury Management Agency (Ireland), The Department Of Communications (NCSC Cyber Security) (Ireland), The Revenue Commissioners, Electricity Supply Board (Cyber Security) (Ireland), The Danish Defence Forces (Afghanistan), PayPal (Worldwide), Grant Thornton, The Insurance Institute of Ireland, The Royal College Of Surgeons, BFC Bank, Interxion Data Centres, The Private Security Authority, Isle of Man Gold Bullion, Brown Thomas, Bvlgari, Boodles, Druids Glen, The Shelbourne Hotel, and many others ....