Some fads, however, do seem to peak. While virtual worlds still seem to be growing, they are not expanding nearly as quickly as in their early days. Many of those who went into virtual worlds thinking that they would be as liberating as the Internet was in its early days have been disappointed and have scaled down their presence or left entirely.

Music-based videogames, like “Guitar Hero,” seem to have peaked and people are talking about “Guitar Hero burnout” – people seem to be tiring of the genre.

Today, “cloud computing” seems to be all the rage. Virtually every computer industry publication is filled with articles about the subject, even though people vary greatly on what they mean by the term. As stated in the IT Law Wiki:

Cloud computing involves the sharing or storage by users of their own information on remote servers owned or operated by others and accessed through the Internet or other connections. Cloud computing services exist in many variations, including data storage sites, video sites, tax preparation sites, personal health record websites, photography websites, social networking sites, and many more.

From a legal perspective, the critical factor in “cloud computing” is that the applications programs and your client’s data reside on computers that are not under your client’s control. This obviously raises security and privacy issues. One of the “benefits” of the “cloud” is that the user does not need to be concerned about where the computers are located. A given application could use computers in multiple jurisdictions to provide services and the user is unaware of where the computers are located. But since sensitive data is being processed in these cloud computing applications (e.g., corporate payroll, individual tax returns), the user must be concerned about where that data is being processed and stored.

Not all countries have the same data protection laws as the United States, yet U.S. laws may place a non-delegable legal obligation on your client to safeguard that data, no matter where it is physically located. Adding to the problem is the fact that many cloud computing applications are contracted for online using a clickwrap license, which does not give the client the opportunity to negotiate appropriate safeguards for the data to be supplied.

Another problem with cloud computing is the possibility that the vendor will cease doing business. Not only will the applications no longer be available to process the company’s data, but the data may disappear as well. And even if the client retains backup copies, the data may be useless without access to the applications needed to run it, display it, or even port it to a different vendor.

Whether cloud computing is a fad is still an open question. But whether or not it is, there are some real legal issues that exist today that clients need to be concerned about and must be dealt with before they jettison their in-house computer systems and move to the cloud. Clients cannot afford to bury their heads in the cloud!

The four courses being offered and the instructors are:

Comparative Electronic Commerce Law and Regulations
Instructor: Dr. Julia Hornle, Queen Mary College of Law, University of London

Comparative Information Privacy Law and Regulations
Professor Ian Walden, Queen Mary College of Law, University of London

Drafting Information Technology Agreements
Professor Michael D. Scott, Southwestern Law School (me)

International Cybercrimes
Professor Susan Brenner, University of Dayton School of Law

The program will run June 21, 2009-July 24, 2009 and is open to any law student from an ABA-accredited law school in the United States, Canadian law students and other law students who can demonstrate English language proficiency. The brochure is available here.

If you are a law student, a law professor, or someone who knows a law student who might be interested in the program, please let them know about it. Due to limited classroom space, the program is limited to 48 students. Students will be admitted to the program on a rolling basis starting in January 2009, so early application is essential. The application is available here.

Over the summer I completed another law review article, which will appear in Volume 60, Issue 1 of the Administrative Law Review (Winter 2008), published by American University’s Washington College of Law. The title of the article is “The FTC, the Unfairness Doctrine and Data Security Breach Litigation: Has the Commission Gone Too Far?” The current draft of the article is available here.

The abstract of the article is reprinted below: (More after the jump.)

Abstract:

The Federal Trade Commission has taken the lead in the online privacy arena. It initially promoted self-regulation, but eventually realized that self-regulation was not working. Thereafter it began taking legal action against entities that violated the terms of their own privacy policies as deceptive trade practices. More recently, the Commission began filing complaints under its unfairness doctrine against companies that experienced data security breaches.

This article analyzes these latest cases under the carefully developed requirements of the unfairness doctrine, and argues that these actions were improperly filed. It further argues that the complaints and consent orders in these cases have provided no real guidance as to what a company should do (or not do) to avoid being the target of an unfairness action if it is the victim of a security breach.

The article proposes specific legislation that would give the Commission express authority to take action against companies that experience data security breaches, but only under well-defined regulations developed by the Commission in collaboration with the affected industries and with input from all interested parties.

Data security and the prevention of identity theft are too important to be left to the whim of the FTC or any other government agency. Companies need to know what is expected of them, so that they can implement appropriate technologies and put in place proper procedures to provide an adequate level of protection for sensitive consumer data. Enacting specific legislation, as proposed in this article, would go a long way toward achieving that goal.