With a lost Android device there are a number of things that need to be considered. Android devices do not encrypt the data stored on them by default but instead require the user to use a PIN or password then enable the encryption afterwards. If the device is lost or stolen and there is no passcode all data on the device is accessible to the party that has the phone. This includes any email or other accounts that are present on the device, as the phone memory is not encrypted.
Devices that are lost with a passcode but not encrypted can still be vulnerable as the memory card in the device may contain sensitive data that is easily accessible without knowing the passcode. The data on a phone secured with a passcode is not protected except by the operating system. A malicious person could find a way to access the storage media without the use of a passcode or they could reset the device, which would remove the index of where files are stored on the phone but not actually delete the files. This is very similar to a computer when something is deleted from the recycle bin. The record of the file is deleted from the index but it is not erased off the hard drive until it has been overwritten with something else.