Federal & industry regulations may affect mobile device policies. It is important to conduct a thorough investigation to determine if you organization is subject to any laws or regulations. The ones below are provided as an example of some regulations that an organization may face. This should not be used as a legal resource, please consult with a legal adviser to discover what regulations your organization may be subject to.
HIPAA- Health Insurance Portability and Privacy Act of 1996
This federal law may apply to a number of health care organizations including: doctors, dentists, pharmacies, nursing homes, and health insurance companies. This law covers the privacy and security of health care information. Such data might include any personal identifiable information medical records, names, addresses, phone numbers, social security number, and other related items. There are specific laws around the protection of this information and the required process for notifying individuals in the event their data has been breached. There are significant fines and penalties that can be associated with breaches of this information that may range from $100 per occurrence up to $25,000. Health care information on mobile devices may be exceptional vulnerable to breach so the legality requirements around the use of mobile devices in health care environments must be taken into consideration. Even communicating something minor over email on a mobile device may cause that to fall under HIPAA regulation. The government provides a guide for mobile device privacy and security specific to health care organizations.
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf
PCI DSS- Payment Card Industry Security Standard
This industry regulation covers the use of stored payment information for credit, debit, and ATM cards. This may affect a number of organizations that handle any payment information. Something as simple as replying to an email a customer sent you with a credit card number in it for payment may cause you to be in violation of this standard. An important consideration in the PCI standard that may apply directly to mobile devices is the requirement to use protected Wi-Fi when transmitting data. With the growing popularity of mobile payment solutions such as Square or PayPal a vendor using unprotected Wi-Fi at a convention may not be in compliance with this standard. It is important to investigate if the organization will have to comply with this standard when developing a mobile device policy.