Employees are increasingly using their personal mobile devices on the job, often with the explicit approval of their employers. But while that permits more work to be done outside the office and at odd hours while sparing companies from paying for the devices, it doesn’t add up to a pure win-win situation. For most businesses, some degree of risk is involved when company information resides on employees’ smart phones or PDAs.

In a recent memo, law firm Mayer Brown discusses a growing legal risk involving mobile devices. If a company is sued or investigated, it could be required as part of the discovery process to provide electronically stored information relevant to the case. If such data is stored on employees’ personal devices, the company may be in an awkward position, the firm points out. While it may have an internal policy stating that all company information belongs to the company wherever it is located, the law is not yet settled as to whether the company can compel employees to hand over personal devices.

At the same time, not providing such information for discovery purposes could expose a company to charges of spoliation, or tampering with evidence, which can result in significant monetary and other penalties. “Nothing in this area is settled,” Mayer Brown partner Anthony Diana tells CFO. “The law is always several years behind the way people are using technology for work. And where there are murky legal issues, there is great risk.”

The most prevalent cases where mobile devices may pose a legal risk are discrimination claims involving an attempt to prove that a company or manager acted with bias toward an employee, Diana says. But there are innumerable possible examples. In a hypothetical scenario cited in the Mayer Brown memo, a manufacturer is hit with a class-action complaint that it knowingly produced an unsafe product, and text messages among employees could provide key evidence.

More specifically, a recent Securities and Exchange Commission ruling indicated that the recordkeeping requirements of the Securities Exchange Act encompass the personal e-mail accounts of broker-dealer employees that are used for business activities.

The highly regulated securities industry may be more attuned to the risks than other industries. “Companies are not paying attention to this,” says Diana. “We counsel a lot of organizations on e-discovery issues, and when I ask about their plans for iPhones and iPads and the like, they say they’re under a ton of pressure to go down that road. But the risk side is not taken into account.”

Companies can mitigate the risks by issuing mobile devices to workers rather than encouraging them to use their own, and authorizing the use of work-related text messaging on the devices. Courts are less likely to find that an employee had a reasonable expectation of privacy with company-issued devices, Mayer Brown says. As a side benefit, mobile networks can be set up so that messages are synchronized with company servers, minimizing the burden of collecting information from individual devices should the need arise.

Companies also can implement policies restricting certain types of information from being sent outside the organization, and enforce the policies by using encryption techniques or by monitoring where e-mails are being sent.