In a previous article, Lindahl described the latest amendments to the Security Protection Act (2018:585), which entered into force on 1 December 2021. One of the major new features of the change in the law was that the supervisory authorities have been granted extended powers of investigation and the ability to impose penalty fees. In a decision of 2 May 2022, the County Administrative Board imposed an administrative penalty fee of SEK 7 million on an operator for breaches of the Security Protection Act. The County Administrative Board’s decision is one of the first decisions to impose penalty fees under the new regulations.
The operator had notified the County Administrative Board on 31 March 2022 that it was carrying on activities that were sensitive in terms of security. The operator’s activities include water and drainage work for a large number of customers. In view of the operator’s notification, the County Administrative Board began an inspection of protective security work at the operator. The inspection revealed the following, among other things:
- There was no Security Manager at the business between October 2021 and March 2022.
- The most recent protective security analysis was dated 29 March 2013 and there was also no protective security plan.
- 70 of the operator’s employees (with posts in security classes 2 and 3) and 6–8 persons from suppliers, all of whom took part in activities that were sensitive in terms of security, had not been made subject to security clearance in accordance with the requirement stipulated in the Protective Security Act.
In view of these circumstances, the County Administrative Board considered the operator to be in breach of the provisions of the protective security legislation in various ways. The reasons for the County Administrative Board’s decision regarding the various circumstances are summarised below.
REASONS FOR THE COUNTY ADMINISTRATIVE BOARD’S DECISION
Notification of activities that are sensitive in terms of security
In accordance with Chapter 2, section 6, first paragraph of the Protective Security Act, an operator must notify the supervisory authority without delay that it is engaged in activities that are sensitive in terms of security (referred to as the obligation to report). The obligation to report entered into force on 1 December 2021. The County Administrative Board considered that the delay by the operator in issuing the report until 31 March 2022 constituted a breach of the obligation to report.
The Security Manager
Chapter 2, section 7 of the Security Protection Act stipulates that a Security Manager must exist if activities covered by the Act are carried out, unless it is clearly unnecessary. The operator employed no Security Manager during the period from 17 October 2021 to 7 March 2022. The County Administrative Board therefore considered the operator to be in breach of its obligation to have a Security Manager during that period.
The Protective Security Analysis
One of an operator’s basic obligations is to carry out a protective security analysis to investigate the need for protective security for its activities. That protective security analysis must be documented. More detailed requirements for the contents of the protective security analysis are also set out in the Protective Security Ordinance (2021:955). The Ordinance specifies, among other things, that the analysis must be updated as necessary and at least every other year. In the present case, the operator’s most recently updated security analysis was from 28 March 2013 and the County Administrative Board therefore considered that the operator failed to fulfil its obligation to have an updated protective security analysis.
Security clearance of personnel
As a general rule, anyone who is to take part in activities that are sensitive in terms of security must first undergo security clearance in accordance with the Protective Security Act (a requirement that also applied before the amendment to the law that entered into force on 1 December 2021). The security clearance must be carried out before the commencement of participation in the activities that are sensitive in terms of security and must include a basic investigation as well as a register check and a specific personal investigation in some cases. The same paragraph states that the security clearance must be followed up during the period in which the person in question takes part in such activities. A register check means that information is retrieved from criminal records and criminal suspects registers to verify whether the person is entered in them. A register check must be carried out if an employment or other participation in activities is to be placed in a security class.
The County Administrative Board’s inspection revealed that approximately 70 of the operator’s employees with posts included in security classes (security classes 2 and 3) and some suppliers had not been made subject to security clearance in accordance with requirements stipulated by law. In view of this, the County Administrative Board considered that the operator failed to fulfil its obligation to carry out security clearance.
The county administrative board’s assessment and the amount of the penalty fee
In view of the above, the County Administrative Board considered that there were several breaches of protective security legislation that could lead to penalty fees being imposed.
When assessing whether to impose a penalty fee, a supervisory authority may take into account all relevant circumstances in the individual case, but it must take the following into particular consideration: 1) the damage to or vulnerability in Sweden’s security that has occurred, 2) whether the breach was intentional or due to negligence, 3) whether the operator had attempted to end the breach or to limit the effects of the breach and 4) whether the operator had committed any previous breach.
In its assessment, the County Administrative Board highlighted the following in particular:
- a large number of persons took part in activities that were sensitive in terms of security without the necessary security clearance,
- the operator was well aware of the importance of the activities for Sweden’s security and nevertheless failed to act,
- the breaches were considered to be intentional,
- it is true that the operator adopted certain measures to end the breaches, but those measures were adopted a relatively long time after the breaches were brought to light, and
- because the nature of the activities is such that they cannot be suspended while waiting for the breaches to end, the vulnerabilities continue until the deficiencies are rectified.
A penalty fee must amount to a minimum of SEK 25,000 and a maximum of SEK 50 million. For state authorities, municipalities and regions, the penalty fee may be set at a maximum of SEK 10 million. In the case in question, the operator belonged to the latter category, which meant that the lower limit was applicable.
When assessing the amount of the penalty fee, the County Administrative Board considered that the operator:
“[...] caused a significant vulnerability in Sweden’s security due to lack of protective security measures that could lead to extremely serious consequences. Overall, the breaches are considered to be extremely serious.”
In view of this, the County Administrative Board decided to impose a penalty fee of SEK 7 million on the operator.
A few points
The County Administrative Board’s decision is the first decision to impose penalty fees for breaches of protective security legislation.
The decision shows that it is extremely important for an operator to regularly check security measures adopted and to keep relevant documents and procedures up to date. Ensuring that activities are consistent with protective security legislation is a continuous process that requires careful monitoring. Operators should specifically ensure that all necessary steps in the security clearance have been completed before a person takes part in activities that are sensitive in terms of security. No actual damage need have occurred and the occurrence of a vulnerability that could have serious consequences is considered equally serious.
The preparatory materials for the Protective Security Act state that penalty fees in the upper half of the penalty ranges should only be imposed for extremely serious breaches. The County Administrative Board’s decision provides an illustration of the fact that extensive breaches that are not remedied for a long time despite awareness of the breaches can lead to the breaches being considered as extremely serious. A penalty fee of SEK 7 million is painful for many operators and the penalty fee could have been significantly higher had the operator been a private operator.
The County Administrative Board’s decision has so far not been examined by a court and the decision has not gained legal force. The protective security legislation has undergone important changes in the recent past and further guidance on the practical implementation of the regulations is therefore welcome. It will therefore be interesting to monitor developments in case law.