Securing Your Critical Physical Data & Documents

Many businesses, government departments and even cyber security organisations in Ireland have been lured into a false sense of security due to misleading advice on their physical data, document and back-up storage.

Invariably most businesses and public sector departments will tell you they are confident that their physical protection measures for data and documents are more than adequate to counter most contingencies, but how justified is that confidence when the bulk of information coming from big name suppliers regarding the protection offered by fire and data safes, cabinets and strongrooms is less than reliable, and the procurement of such equipment usually happens in the absence of genuine expert advice and specialist industry knowledge.

Physical data secure storage procurement questions

• Are accredited European certification documents available to back-up the claimed physical security or fire resistance attributes of data safes, cabinets and rooms, providing a legal proof of standard?
• In the case of magnetic data is the equipment certified for temperature and humidity limits that will protect magnetic data in an intense fire?
• Is secure storage equipment for data and documents certified against the kind of structural collapse that is likely to result from an intense fire?
• Does all physical data protection equipment have at least one stamped metal certification plate from an accredited European certification body matching the fire and burglary standards required?
• How is access to sensitive data and documents controlled and is such access automatically audited?
• If expert advice was sought on the procurement of physical data protection equipment and its suitability for various types of media before purchase, was documentation to back up that advice provided?

Qualified expert advice is critical to avoid the risk of catastrophic data or document loss

An expert understanding of accredited, certified, data safe, data cabinet and data room testing, and the relevance of that certification in relation to risk and operation, is essential to avoid costly or even catastrophic mistakes. Considerations such as certification of fire resistance and burglary protection are just the starting point, as different types of data media have varying degradation levels under a range of stress factors. 

For example, humidity as well as temperature is a critical factor in preserving magnetic data in a fire, whereas paper documents have a far higher stress level, yet, it is often the case that safes or cabinets which may be barely suitable for storing paper documents, are being used in businesses and government departments to protect magnetic data and back-ups.

EU Parliament regulation 765/2008 created the system that provides the legal basis of accreditation for the burglary resistance certification of safes and cabinets to:

• European standard EN1143-1, the burglary resistance certification for safes
• European standard EN14450, the burglary resistance certification for cabinets
• European standard EN15659 the protection of paper documents from fire
• European standard EN1047-1 the protection of data from fire and structural collapse 

These are the logos of the four certification bodies with accreditation to ISO IEC17065 to certify safes to European standards you will most likely encounter on a genuine certification plate in Ireland.

The ultimate protection against misrepresentation and a legal proof of standard of burglary and fire resistance, accredited European certification is the most important factor in maintaining insurance cover long term, as well as being the basis for all insurance rate recommendations in Europe. When there is a need to ensure regulatory compliance, for the storage of important legal documents or data, anything less than accredited European certification and the legal proof of standard it provides can leave an organisation or individual vulnerable. European accredited certification for safes and strongrooms is backed by regular auditing, market surveillance and is verifiable, proof of standard for both insurance and litigation purposes.

If you consider that 70% of safes tested for burglary resistance by accredited European testing labs fail on the first attempt the practical implications of accepting unaccredited claims of burglary or fire resistance are also obvious.

Certification for physical data storage will be indicated under standard EN1047-1 (Data). 

Accredited European certification that a safe or cabinet is suitable to protect paper or data will always be displayed on a stamped metal plate on the inside of the unit's door. This information will never appear on a sticker.

Data certification is completely separate to any burglary resistance certification plate that a safe may have. There is absolutely no connection between the grade of a safe and the unit's fire resistance.The same information will be available on accredited certification documents which are freely available and should always be asked for.

Fire & impact data protection standard EN1047-1

• Units suitable for paper documents are certified S60P and S120P and have an internal temperature limit of 170°C during testing.
• Units suitable for digital data are certified S60D and S120D and have an internal temperature limit of 70°C and a humidity limit of 85% during testing. 

• Units suitable for magnetic data are certified S60DIS and S120DIS have an internal temperature limit of 52°C and a humidity limit of 85% during testing. 

• All EN1047-1 certified safes and cabinets undergo a structural impact test which consists of a nine meter drop onto a gravel floor while heated to simulate a structural collapse during an intense fire.

Case studies

Financial & cyber security enterprise

Close up photos below show a very popular unit sold for fire protection of paper documents in Ireland known as the “Fire Chief”. This is one of fourteen units that was purchased by an enterprise for the protection of client documents and back-up data, some of which would fall under the GDPR. Procurement selected the unit based on several factors but low price and name recognition certainly came into it.

When Certified Safes Ireland™ were asked to examine the units by a senior member of the management team it was clear to us that rather than purchasing fire and burglary resistant data cabinets, the client had in fact purchased thousands of Euros worth of relatively expensive light steel storage cabinets with no accredited certified fire or burglary resistance whatsoever.

Our examination found the following:

• There was no indication anywhere on the cabinets of a claim the "Fire Chief” was fire resistant in any way.
• There were no fire protection strips or seals anywhere on the cabinets.
  
• Air gaps around door frames were so wide the locking bolts of the cabinet were clearly visible. These gaps would aid airflow for combustion rather than deny it as well as allowing the locking bolts to be cut in seconds with a battery powered angle grinder.
• The only mark found anywhere on the cabinets was an unaccredited sticker which claimed the units are S1 security cabinets, the lowest level of protection under European standards. 

Electronic security company

Below is another very popular unit sold for fire protection of paper documents and data. This was one of two units purchased for the protection of client documents and data by a security company. Again, much of this data would fall under the GDPR. In this case there is just one fire strip around the door frame with significant air gaps on all sides of each door. There was no indication anywhere on these units that they were certified as either fire or burglary resistant, yet the organisation had purchased the units as suitable or "recommended" for paper and digital data.         

The legal situation

Obviously, metal cabinets with no accredited certified fire or burglary resistance is not what any procurement department had in mind when the intension was to source secure stroage for physical data. In both of these cases data and documents held by the organisations concerned were not only at the same level of risk from fire as was the case before the purchase, but information was not being stored in compliance with the groups GDPR risk assessment, opening up the possibility of sanctions, and even legal action if unlawful destruction was caused to third party data due to burglary or fire. 

The fact remains however, that nowhere on the data sheets for any of these units did the manufacturer make the claim that the units were certified for fire resistance. The only reference to “Fire Resistance” states, “Recommended for 30 minutes fire protection for paper records”, but as no accredited certification of fire resistance was referred to this recommendation is technically, just the opinion of the manufacturer, whatever impression the name "Fire Chief" might convey. 

Regarding burglary resistance: The only certification claim we could find in relation to burglary resistance on any of these units was a claim that some cabinets were S1 Security Cabinets certified by Trezor Test in the Czech Republic. S1 is the lowest level of burglary resistance for a cabinet test with hand tools, but even this claim was unaccredited. The test time for an S1 Security Cabinet is 1.5 minutes. 

Protection class quality characteristic for fireproof protection
European Standards EN1047-1, EN1047-2 and EN15659

The abbreviations in the table stand for:

• Fireproof - Light fireproof storage unit to EN 15659
• S  - Data cabinet to EN 1047-1
• DI - Diskette insert for installation into a data cabinet of protection class S 60 P and S 120 P
• C - Data container to EN 1047-2
• R - Data room to EN 1047-2
• 30 - Exposure to flames for 30 minutes
• 60 - Exposure to flames for 60 minutes
• 120 - Exposure to flames for 120 minutes
• P - Suited for heat sensitive paper documents with stress limits up to 170°C
• D - Suited for heat and humidity sensitive data media with stress limits up to 70°C and 85% air humidity
• DIS - Suited for heat and humidity sensitive data media with stress limits up to 52°C and 85% air humidity

 For confidential expert advice please call: +353 1 7076011

Certified Safes Ireland™ director Alan Donohoe Redd is a member of the European CEN263 Working Group responsible for writing European Standards for safes, strongrooms (vaults), secure cabinets and physical data protection for the European Union. A registered NATO supplier and a longstanding member of the European Security Systems Association, Alan has a vast range of experience spanning almost 40 years and encompassing installation of safes, strongrooms, physical data protection, CCTV, alarms, access control, secure storage control systems and Sensitive Compartmented Information Facility (SCIF) specification, design, and installation.

Alan is an expert on standards and fraud issues related to secure storage in Europe and the UK, has had articles related to these subjects published by The Law Society Gazette and Irish Broker Magazine, has forced retractions of multiple false claims related to secure storage offerings to the public, including some published by the Irish Times, and has been pivotal in having misleading standards and practices recognised and withdrawn in Ireland, the UK and at a European level.

Our expertise has been relied on by:

N.A.T.O. Europe, The U.S. Air Force (Europe), The National Treasury Management Agency (Ireland), The National Cyber Security Centre (Ireland), The Revenue Commissioners, Electricity Supply Board (Cyber Security) (Ireland), The Danish Defence Forces (Afghanistan), PayPal (Worldwide), Grant Thornton, The Insurance Institute of Ireland, KPMG, Interxion Data Centres and many others ....

Our seminars on safes, strongrooms and HNW secure storage have been part of Continuing Professional Development for underwriters and insurers having been awarded CPD points by the Insurance Institute of Ireland and the Chartered Insurance Institute (UK).