Mobile technology, particularly in cases when an employee uses his or her own smartphone or mobile electronic device at work, raises questions of control, data ownership and security, experts say.

Issues arise regarding the extent to which companies can retain control over company data that is on workers' own mobile devices, said Aaron K. Tantleff, senior counsel with law firm Foley & Lardner L.L.P. in Chicago.

“You have to give consideration to whether or not the device is owned by the company or owned by the employee,” and, if it is employee-owned, whether there are separate environments for personal and work data, Mr. Tantleff said.

Jason C. Schwartz, a partner with law firm Gibson Dunn & Crutcher L.L.P. in Washington, said: “One of the big issues there is the protection of confidential information, both for the employee who might depart, and also because it exposes the information to third parties who might steal it.”

“It's imperative to make sure” that certain company policy requirements are in place regarding personal mobile devices, including the capability to remotely wipe the mobile device, especially if the employee leaves the company, said Matt Donovan, assistant vice president, technology and privacy underwriting leader at Hiscox USA in Atlanta.

“There are copious amounts of information being stored on mobile devices,” Mr. Donovan said. One would hope that security controls, including encryption, are in place, “but this may not always be the case,” he said.

As a result, “I think, first and foremost, companies are looking at much broader exposure when their sensitive data is pretty much constantly in transit, with employees on the go and having access to that data in their pocket.”

Mobile smartphone applications, and the malware that can accompany them, are a potential danger as well, said Bob Parisi, network security and privacy practice leader at Marsh Inc. in New York. An estimated 70 billion apps will be downloaded in 2013, or about 10 for every person alive today, he said.

%%BREAK%%

Previously, data was protected by a perimeter, but with the “bring-your-own-device” phenomenon, “you essentially have exploded that perimeter” thereby “creating some very real exposures,” Mr. Parisi said.

Phil Mayes, London-based senior vice president in the global technology and privacy practice of Lockton Cos. L.L.P., said companies are “becoming increasingly reliant and expect to have access to data on a 24/7, 365-day basis,” which can cause problems in the event of system outages. “Then what you have is almost a redundant workforce.

“It's incumbent upon the risk management department to have a continuity process in place so they're not penalized by significant outages,” Mr. Mayes said.

“It's incumbent upon the risk management department to have a continuity process in place so they're not penalized by significant outages,” Mr. Mayes said.