Under no circumstances should you allow a personal device on your "internal" network, and when you allow a personal device to access your business applications, it should be in a very controlled manner such as (in the laptop scenario you described) via terminal services, and precautions in place to prevent transfer of the data to the employee system in the first place. If the employee "steals" the data, it's a criminal matter. If he just fails to wipe his phone when he quits, you sue him in court.

You've got lawyers: Use them. Data thieves are generally after money, but that becomes an iffy proposition if your employer sues you into oblivion. This really is not any where near as big of a problem as is being made out. Most of these leaks, though, aren't "criminal" situations, they're screw-ups by people who didn't read what they signed when they joined the "iphones allowed" plan for the company Exchange Server.