When I was a kid, we played a game called hot potato. The premise was that you were holding a hot potato and you passed it along to the next person as fast as possible, and whoever dropped the potato was out. Eventually you ended up with two kids arbitrarily throwing a potato (that wasn't really hot) as hard as possible at the other kid in attempt to force him to drop it. Secret data isn't handled like this, but the legal responsibilities of it are.

You create a software program and have a server on the Internet where you offer a service. You ask the user to register a user and login. You will store the password information for that user in a table somewhere so that when the user returns, he or she can be reauthenticated, thus identifying that person. Your service makes use of common cryptographic processes and has keys that are used to maintain secure data. Technically, the user has the controlling interest to the cryptographic keys that are used to encrypt and decrypt the data that is specific to the user, such as address information and so forth. Should your server or the user own the key? Does the server store it so that when a user returns, the data can be decrypted? What if the server is hacked, then the encrypted data and the key are both there, thus allowing the attacker to gain access to the data. This doesn't seem to...