I am running Exchange 2007 using ActiveSync to a Motorola Q smartphone and
I'm trying to understand my exposure when a device is lost. If I'm using an
Active Sync policy that requires a strong password, encrypts storage cards
and enable remote wiping of the device, is that all I can do? If so, there
is a gap when a device is lost while logged in, and not reported immediately,
is that right?

In other words, the data (mail, contacts, etc) on the smartphone itself, not
on a storage card, is not encrypted and therefore accessible, is that right?