In html, the & character is an escape character which should introduce a named or numbered character entity. It is not clear to me (I can't find a reference) what should happen when there is no valid entity after the & character. So locking up is a possibility; but not a good choice, of course. The title and author, of course, are meta data, part of the html, so, no bare-naked & allowed. If you must have an & in meta data, it should be expressed as & or & - but I haven't tested that anywhere - an exercise for the interested student... or something to add to the epub conformance tests.
In most Linux shells, the & character is the backgrounding operator, so if you must have a & in a filename, you have to quote the filename. Since you can't know how the reader's embedded code handles filenames, the & is best avoided in filenames, as well.