Information security is a challenging and costly problem for organizations. There are always financial incentives to cut corners on security or to displace the costs of insecurity onto others. Unless organizations self-disclose security incidents, regulators, consumers, and other competitors cannot assign responsibility for insecure practices.

Appeals to “security” also enjoy a special status in political debates, where many assume that it is an apolitical, value-neutral good. More properly viewed, invocations of security can mask underlying political or economic goals, such as controlling how consumers use a product, or locking them into a service. Promoting security for certain individuals can create insecurity for others. This will come into full focus in Chapter 9, where we discuss how various companies install software on customers’ computers in order to secure their own intellectual or physical property but, in so doing, reduce the security of the user.

To address the problems of insecurity in products and services, the FTC's information security enforcement actions create a series of responsibilities that companies assume when they handle personal information. The Agency analyzes an organization's entire security practices to determine whether “taken together” insecure elements are deceptive or unfair. With the addition of staff technologists, the FTC's information security actions have become technically complex and delve into details regarding how specific technologies are implemented within an organization.

The FTC's deception power is not a perfect tool for policing information security problems, because privacy policies are often too vague to account for particular security lapses. Thus, early in its enforcement strategy, the FTC relied upon unfairness to police insecurity. By 2010, however, the Agency pivoted back to use of the deception theory, and interpreted any statement about security – even anodyne ones such as “[we are] proud of the innovations we have made to protect your data and personal identity” – as an assurance to the consumer of reasonable security practices. Thus, contemporary information security matters invoke deception, but often have characteristics of unfairness theory cases. The Agency can also use its false advertising authority against companies that misrepresent the security of products.

Information security matters, at least in the beginning, were an uncontroversial way for the FTC to police online privacy. Security enforcement was compatible with the “harms-based” approach promoted by then Chairman Muris.