Invariably most businesses and public sector departments will tell you they are confident that their physical protection measures for data and documents are more than adequate to counter most contingencies, but how justified is that confidence when the bulk of information coming from big name suppliers regarding the protection offered by fire and data safes, cabinets and strongrooms is less than reliable, and the procurement of such equipment usually happens in the absence of genuine expert advice and specialist industry knowledge.
- Are accredited European certification documents available to back-up the claimed physical security or fire resistance attributes of data safes, cabinets and rooms, providing a legal proof of standard?
- In the case of magnetic data is the equipment certified for temperature and humidity limits that will protect magnetic data in an intense fire?
- Is secure storage equipment for data and documents certified against the kind of structural collapse that is likely to result from an intense fire?
- Does all physical data protection equipment have at least one stamped metal certification plate from an accredited European certification body matching the fire and burglary standards required?
- How is access to sensitive data and documents controlled and is such access automatically audited?
- If expert advice was sought on the procurement of physical data protection equipment and its suitability for various types of media before purchase, was documentation to back up that advice provided?
An expert understanding of accredited, certified, data safe, data cabinet and data room testing, and the relevance of that certification in relation to risk and operation, is essential to avoid costly or even catastrophic mistakes. Considerations such as certification of fire resistance and burglary protection are just the starting point, as different types of data media have varying degradation levels under a range of stress factors.
For example, humidity as well as temperature is a critical factor in preserving magnetic data in a fire, whereas paper documents have a far higher stress level, yet, it is often the case that safes or cabinets which may be barely suitable for storing paper documents, are being used in businesses and government departments to protect magnetic data and back-ups.
The Importance Of European Certification
EU Parliament regulation 765/2008 created the system that provides the legal basis of accreditation for the burglary resistance certification of safes and cabinets to:
- European standard EN1143-1, the burglary resistance certification for safes
- European standard EN14450, the burglary resistance certification for cabinets
- European standard EN15659 the protection of paper documents from fire
- European standard EN1047-1 the protection of data from fire and structural collapse
These are the logos of the four certification bodies with accreditation to ISO IEC17065 to certify safes to European standards you will most likely encounter on a genuine certification plate in Ireland.
The ultimate protection against misrepresentation and a legal proof of standard of burglary and fire resistance, accredited European certification is the most important factor in maintaining insurance cover long term, as well as being the basis for all insurance rate recommendations in Europe. When there is a need to ensure regulatory compliance, for the storage of important legal documents or data, anything less than accredited European certification and the legal proof of standard it provides can leave an organisation or individual vulnerable. European accredited certification for safes and strongrooms is backed by regular auditing, market surveillance and is verifiable, proof of standard for both insurance and litigation purposes.
If you consider that 70% of safes tested for burglary resistance by accredited European testing labs fail on the first attempt the practical implications of accepting unaccredited claims of burglary or fire resistance are also obvious.
What Certified Physical Data Storage Certification Looks Like
Certification for physical data storage will be indicated under standard EN1047-1 (Data).
Accredited European certification that a safe or cabinet is suitable to protect paper or data will always be displayed on a stamped metal plate on the inside of the unit's door. This information will never appear on a sticker.
Data certification is completely separate to any burglary resistance certification plate that a safe may have. There is absolutely no connection between the grade of a safe and the unit's fire resistance.The same information will be available on accredited certification documents which are freely available and should always be asked for.
Examples Of How Physical Data Security Procurement Can Go Badly Wrong
Close up photos below show a very popular unit sold for fire protection of paper documents in Ireland known as the “Fire Chief”. This is one of fourteen units that was purchased by an enterprise for the protection of client documents and back-up data, some of which would fall under the GDPR. Procurement selected the unit based on several factors but low price and name recognition certainly came into it.
When Certified Safes Ireland™ were asked to examine the units by a senior member of the management team it was clear to us that rather than purchasing fire and burglary resistant data cabinets, the client had in fact purchased thousands of Euros worth of relatively expensive light steel storage cabinets with no accredited certified fire or burglary resistance whatsoever.
Our examination found the following:
- There was no indication anywhere on the cabinets of a claim the "Fire Chief” was fire resistant in any way.
- There were no fire protection strips or seals anywhere on the cabinets.
- Air gaps around door frames were so wide the locking bolts of the cabinet were clearly visible. These gaps would aid airflow for combustion rather than deny it as well as allowing the locking bolts to be cut in seconds with a battery powered angle grinder.
- The only mark found anywhere on the cabinets was an unaccredited sticker which claimed the units are S1 security cabinets, the lowest level of protection under European standards.
Below is another very popular unit sold for fire protection of paper documents and data. This was one of two units purchased for the protection of client documents and data by a security company. Again, much of this data would fall under the GDPR. In this case there is just one fire strip around the door frame with significant air gaps on all sides of each door. There was no indication anywhere on these units that they were certified as either fire or burglary resistant, yet the organisation had purchased the units as suitable or "recommended" for paper and digital data.
Obviously, metal cabinets with no accredited certified fire or burglary resistance is not what any procurement department had in mind when the intension was to source secure stroage for physical data. In both of these cases data and documents held by the organisations concerned were not only at the same level of risk from fire as was the case before the purchase, but information was not being stored in compliance with the groups GDPR risk assessment, opening up the possibility of sanctions, and even legal action if unlawful destruction was caused to third party data due to burglary or fire.
The fact remains however, that nowhere on the data sheets for any of these units did the manufacturer make the claim that the units were certified for fire resistance. The only reference to “Fire Resistance” states, “Recommended for 30 minutes fire protection for paper records”, but as no accredited certification of fire resistance was referred to this recommendation is technically, just the opinion of the manufacturer, whatever impression the name "Fire Chief" might convey.
Regarding burglary resistance: The only certification claim we could find in relation to burglary resistance on any of these units was a claim that some cabinets were S1 Security Cabinets certified by Trezor Test in the Czech Republic. S1 is the lowest level of burglary resistance for a cabinet test with hand tools, but even this claim was unaccredited. The test time for an S1 Security Cabinet is 1.5 minutes.
European Fire Standards For Physical Data & Paper Documents
Protection class quality characteristic for fireproof protection
European Standards EN1047-1, EN1047-2 and EN15659
|Protection classes of products for the protection of data and systems|
|Light fireproof unit||LFS 30 P||EN 15659|
|LFS 60 P||EN 15659|
|Data cabinet||S 60 P||EN 1047-1|
|S 120 P||EN 1047-1|
|S 60 D||EN 1047-1|
|S 120 D||EN 1047-1|
|S 60 DIS||EN 1047-1|
|S 120 DIS||EN 1047-1|
|Diskette insert||DI 60 P/DIS||EN 1047-1|
|DI 120 P/DIS||EN 1047-1|
|Data container||C 60 D||EN 1047-2|
|Data room||R 60 D
|R 60 D
The abbreviations in the table stand for:
Certified Safes Ireland™ director Alan Donohoe Redd is a member of the European CEN263 Working Group responsible for writing European Standards for safes, strongrooms (vaults), secure cabinets and physical data protection for the European Union. A registered NATO supplier and a longstanding member of the European Security Systems Association, Alan has a vast range of experience spanning almost 40 years and encompassing installation of safes, strongrooms, physical data protection, CCTV, alarms, access control, secure storage control systems and Sensitive Compartmented Information Facility (SCIF) specification, design, and installation.
Alan is an expert on standards and fraud issues related to secure storage in Europe and the UK, has had articles related to these subjects published by The Law Society Gazette and Irish Broker Magazine, has forced retractions of multiple false claims related to secure storage offerings to the public, including some published by the Irish Times, and has been pivotal in having misleading standards and practices recognised and withdrawn in Ireland, the UK and at a European level.
N.A.T.O. Europe, The U.S. Air Force (Europe), The National Treasury Management Agency (Ireland), The National Cyber Security Centre (Ireland), The Revenue Commissioners, Electricity Supply Board (Cyber Security) (Ireland), The Danish Defence Forces (Afghanistan), PayPal (Worldwide), Grant Thornton, The Insurance Institute of Ireland, KPMG, Interxion Data Centres and many others ....
Our seminars on safes, strongrooms and HNW secure storage have been part of Continuing Professional Development for underwriters and insurers having been awarded CPD points by the Insurance Institute of Ireland and the Chartered Insurance Institute (UK).