You do really need a policy. Your employees expect IT to protect them, and your company's executives expect you to make sure that corporate data is protected from the things that employees do with their mobile devices. But your customers also want to know what you're doing with their data, and various contractors, distributors, suppliers and anyone else in your network need to know what they aren't allowed to do.
It's bad enough that a mobile device brings the same IT threats as any other network-connected device. It has full access to your LAN and can piggyback on whatever permissions you gave its owner. And of course, if it's being accessed by a naughty user, it can try to exceed that access.
But you really need a mobile-specific policy because mobile devices can be careless with all the data they store. They theoretically can track all movements. The microphone and camera can be activated remotely. Apps can access every phone call, email or text sent or received, as well as every site visited and every tweet tweeted. Some can even send messages under your name without your knowledge (No kidding. Even the Starbucks app has demanded the ability to tweet on customers' behalf) . And some apps can identify every other app being used, along with a host of tech specs, like OS version, browser, serial number of phone, Wi-Fi particulars, carrier, etc..
You also need to specify what the company can do with mobile devices' tracking capabilities. They might seem like a boon when you need to locate employees, and they're even helpful for building security, such as when needing to make sure every employee is located during an emergency evacuation. They're also an easy way for new employees to find some far-off conference room on a large campus.
But it doesn't take much imagination to see how tracking could get creepy. Are you going to let managers use tracking data in performance reviews? ("Well, Rebecca, I see that you spend more than an hour every day in the lavatory." "Scott, the average length of your lunch hour over the past six months has been 85 minutes.") Will you track employees when they leave your facility but are still on company time? What about when they are not on company time? What if someone phones in sick and you find his company-issued Android at the racetrack or a bar — or a competitor's headquarters?
You need to discuss and agree on where your company wants to place those limits. It's light-years easier to discuss this calmly and professionally when there is no immediate specific situation staring you in the face — with personalities attached. Whatever is agreed to must be ironclad. You don't want emotional situations to trump the calm thinking made at an offsite executive meeting back in January. Clearly, exceptions can always be made, but they should be rare.
Something else to consider: Deciding these things isn't enough; the policy should also dictate how those decisions will be communicated to all of your audiences, especially to customers. In this case you can take a lesson from Nordstrom, which recently conducted a mobile location trial with shoppers . It posted a sign at the entrances to its stores, alerting customers to what was being done. It wanted the sign to be succinct and understandable, but it ended up with a program description that was a little inaccurate and incomplete. That caused confusion and anger among shoppers, who envisioned the program being far more invasive than it was.
The moral of that story: If mobile data is collected, you will get blamed, no matter whether you see the data or not.
Your mobile policy has to address what you will allow vendors to collect about your customers, your employees and your partners. It should spell out how much of that your company should see. It should lay to rest the question of whether third parties will be allowed to collect data that you won't see. It needs to establish how you will inform your customers, employees and partners about this data collection, if at all. (There are legitimate arguments on both sides.) And you need to make your policy precise enough to be useful while not being so detailed that it is incomprehensible to people who aren't that technical.
There are few areas that are more complex, more controversial and more politically dangerous than mobile data collection. You may find that simply having these conversations will change not merely your policies, but your strategy and how you approach it.