So hold on.  Before you think I've been dropped (again) on my head, hear me out.  There's an interesting article that I found today at Network World.  Don't have time to read it?  Here's the net net.  Kevin Dilallo, a partner at telecom law firm Levine, Blaszak, Block & Boothby LLP in Washington, D.C, says:

"If companies think they are saving money [using the reimbursement method], they are out of their minds. And from a security standpoint, individual liability is suicide."

Them some purty powerful words there.  Certainly quote worthy.  Too bad it's not entirely accurate, in my opinion.  Time for my quote worthy statement.  Ready?  OK, here we go.

Philippe Winthrop on his Enterprise Mobility Matters blog states: "Individual Liability vs. Corporate Liability is really a moot point...if organizations actually manage their mobility deployments."

Whoa....Keanu Reeves time.

OK.  Enough horsing around. I'm neither an account (I got a B- in grad school in accounting), nor a tax attorney, so I can't speak to the IRS implications, but what I can tell you is that in one context, it doesn't matter a hill of beans whether the devices are corporate or employee liable if they are not managed.  Individual liability is a recipe for chaos (and potential disaster) if the IT department doesn't know what its employees are doing.  I can't tell you the number of companies I have spoken to where they start an audit process only to realize they have dozens, if not scores of phone numbers on the company plan that have not been used in months!  That's just from an expense management perspective.

What's most important is to ensure that there are proper policies, procedures and solutions in place for:

• mobile device procurement and provisioning
• mobile device management
• mobile application management
• mobile service management
• mobile security
• wireless expense management
• mobile help desk
• mobile device retirement and replacement

Yawn...Like you've never heard me say that before.

The key point is that regardless of who pays for the device or the service (and there's a difference there too), the company MUST be able to have visibility into what people are (not) doing with the mobile device they are using for work and make sure that it can be controlled.  It doesn't matter even if the employee bought it on their own and have no plans to expense any of it.

If you're accessing sensitive corporate data (and that includes email, people), I will argue the company needs to know about it and do something to make sure they are managing the device and its access to back end systems.  The access must be controlled.

You want an iPhone, a Pre or Pixi, or a new Droid?  Go nuts!  Just make sure it's something your company said is OK and that you are following all the regulations in your company/industry/sector (shame on your company if they don't have an updated mobility policy). That said, some companies are going to have policies in place that say "You can only have a BlackBerry because we want the security and manageability of the BES."  That's a very strong and fair argument.  The new trackpads they have are uber cool, by the way.

So in closing, I will argue that a personally liable device can be just as secure as a corporate liable device, if (and only if) the IT department can deploy whatever it has to onto that device to be able to control it (this, by the way, is an example of where the BES rocks).  The risks come when you don't have visibility on what your employees are doing and then don't do anything to manage mobility in an organized fashion.