The rise of mobile devices has created uncertainties regardingwhat authority a company has over an employee's personal device ifit is also used for work-related activities, and what actions acompany must take if a device is lost or stolen, according toexperts.

Mobile devices are vulnerable to cyber attacks just like desktopcomputers and laptops are, according to Larry Collins, vicepresident, e-solutions, risk engineering at Zurich NA. Speakingtoday during Advisen's webinar, “Cyber Security: The GrowingLiability of Handheld & Mobile Devices,” Collins explained thatthese devices are essentially mini or micro computers, and he addedthat any computer system that has a networked connection orsoftware system can be broken into and hacked.

Additionally, because devices such as smartphones and tabletsare small and portable, they are easily misplaced. John Mullen, apartner with Nelson, Levine, de Luca & Hamilton, said duringthe webinar that the TSA had to lease a new warehouse just to storedevices misplaced and left behind at airports.

If a mobile device is misplaced by a high-ranking employeeconnected to sensitive data, and that employee does not immediatelyreport the device as lost, the company could be facing a largeproblem by the time the issue comes to light, Mullen said.

Even if a lower-ranking employee loses a device, problems canarise, Mullen noted. That employee may have information stored onthe device including contacts, photos, call history, and notes andpersonal information about contacts.

If the employee works in the healthcare field, theft of suchinformation could trigger Health Insurance Portability andAccountability Act (HIPAA) violations, Mullen said.

Mullen pointed to another emerging risk tied to mobile devices:a “bring your own device” philosophy developing at many companies.He says there are some advantages to such a policy, such as costsavings if employees are spending their own money on smartphonesand tablets that are constantly evolving and beingupdated.

However, he said such a policy can raise questions regarding whoowns the data on the phone when company data is mixed with personaldata. For example, Mullen asked if the company would have theauthority to wipe the information from the phone when the employeeleaves the company.

Mullen said that if an employee connects a personal device to acompany network, the company just inherited responsibility for thatdevice.

Despite the risks, though, Catherine Mulligan, senior vicepresident, Zurich NA, said that in an age where employees takeadvantage of 24/7 connectivity, a mix of personal and companyinformation on personal devices “feels pretty inevitable.”

In order to address the risks around mobile devices, the webinarpanel said companies must enact comprehensive risk-management plansthat include training employees on how to respond if a device islost or stolen.

Mulligan said c-suite executives and risk managers cannot assumethat IT departments will be responsible for all security measures.Plans have to be enterprise-wide, she said. Risk management, sheexplained, starts with IT controls such as VPN (virtual privatenetwork) usage, encryption, and having a plan to track down lostdevices and react.

But beyond the IT department, employees should know who to callif a device is lost or stolen, and the person the employee callsshould know what to do once notified, said Mulligan. She saidcompanies should provide regular training in which all employeesusing personal devices must participate on annual basis.

Mullen added that response to a lost device can become“surprisingly simple” if a company has the proper procedures inplace.

Mulligan said insurance for devices is also available. Coverage,she said, is not much different for mobile devices than for anyother type of data breach. She said there is liability coveragethat deals with legal costs and third-party expertise such asforensics firms to analyze a breach and call centers to provideinformation and public relations. Coverage also may includeservices, such as access to tools to estimate costs, a checklistfor a company's planned response, and access to experts who cananswer questions and review a company's policies andprocedures.