Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

Why Small Businesses Must Regulate Mobile Devices

By , Ashley Smith - Source: Toms IT Pro

Unless your company has an affinity for lawsuits, it's crucial to put a mobile device management policy in place, says Phoenix-based lawyer James Goodnow. Yet, an estimated 50 percent of corporations lack a written security policy that outlines how, and if, personal mobile devices can be used for work purposes.

Credit: ShutterstockCredit: ShutterstockThat's according to a 2014 report by Reputation Communications, a firm that helps companies boost and preserve their image. The percentage is believed to be much higher for small businesses, although an exact figure is unknown.

Find a Mobile Device Management Solution for Your Business

Editor's Note: Looking for a mobile device management solution for your company? If you're looking for information to help you choose the one that's right for you, use the questionnaire below to have our sister site, BuyerZone, provide you with information from a variety of vendors for free:

Legal and technology experts who spoke to Tom's IT Pro agree that without a mobile device management policy, even the smallest companies are at risk of legal trouble, data breaches, damage to the brand and low employee morale, among other unpleasant things.

MORE: Enterprise Mobility Management (EMM) 101

"For most small businesses — those under 50 employees — this just isn't on their radar," said Goodnow, a director and technology attorney with the Fennemore Craig law firm. "It only takes one lawsuit to bring a company down, but until there's an urgent problem, they're not thinking about it."

"The issue doesn't have much to do with the size of the company," said lawyer David J. Myers.

Polices, not laws, offer protection

Laws governing how employees are allowed to use mobile devices in the workplace, as well as what type of personal data employers are allowed to monitor and access, haven't kept pace with technology.

Some states have regulations, but they differ from one to the next, and no broad federal regulations exist yet. Further complicating the matter, according to Cincinnati, Ohio-based lawyer David J. Myers, is that existing regulations are often industry specific. Healthcare organizations, for example, must comply with HIPAA rules about how mobile devices can be used in order to protect patient privacy. A mom-and-pop retail store, on the other hand, might not be subject many, if any, formal rules, he said.

"The issue doesn't have much to do with the size of the company," said Myers, who specializes in cybersecurity and technology law, and owns a separate technology consulting company, SpliceNet Legal Tech. "Even small healthcare companies are subject to HIPAA. And any company, regardless of size, can be sued for a [data] breach. Every company should have something in place."

Lawyers and tech consultants also agree there's no one-size-fits-all approach to drafting an effective mobile device management policy. Policy needs vary based on the type of data a company stores and collects, and how sensitive it is. A company that allows employees to use their personal mobile devices for work purposes will need to set different rules than those that provide employees with company-owned devices.

Shira Forman, a New York City-based employment lawyer, said a good policy outlines brands and models of mobile devices that are acceptable, who pays for the device and what happens if a device is lost or stolen. Most authorize the employer to use its own privacy and security software on the device, and require the use of a passcode. If the device is employer owned, most polices specify that it is not for personal use, and that the company has the right to access all information stored on the device, she said.

"If the company provides the device, the employee's expectation of privacy should be pretty low," said Forman, who works for Sheppard Mullin Richter & Hampton, a global firm specializing corporate and technology matters.

The benefits of mobile device management

Avoiding lawsuits is the most obvious benefit, lawyers said. Without a written policy, an employee might successfully sue for violation of privacy if the company is monitoring personal information. In the event of a data breach, a customer could prevail in court if the company did not take measures to protect private information stored or sent on company mobile devices.

A strong policy also helps protect a company's brand image and reputation, Goodnow said. Any time a data breach leaks sensitive customer information, public trust in the company is lost.

According to Myers, clear and straightforward polices are good for employee morale, too. Employees feel more comfortable when companies are upfront and honest about what they're monitoring, and why. They may not like it, but they appreciate the knowledge upfront.

"Even if it's legal, your employees don't always like being monitored. They don't like that big brother aspect," he said.

Small businesses can find generic policies online, but those aren't ideal because they don't reflect the company's unique circumstances, Myers said. A good policy is crafted based on the type of data a particular company collects and stores, and the specific laws the company is subject to, he said.

Hiring an attorney or tech consultant to create a policy for your company comes at a cost, of course, but the price varies widely based on the type and size of the business. For large and sophisticated businesses, it's not uncommon to spend six figures, Goodnow said, while very small businesses might be able to have a policy crafted for $5,000 to $10,000.

"Don't wait for a breach, privacy issue or lawsuit," he said. "People hate hiring lawyers, and they hate spending money. But if you don't do it on the front end, the cost on the back end could be tremendous."