Companies deploying end-to-end e-mail encryption often do so to meet state and federal regulations. Ironically, the encryption architecture may stymie administrators charged with enforcing security and policy compliance, which may lead to other legal risks.
As described in "Bolt Down Your E-Mail", an end-to-end e-mail encryption architecture places the encryption keys and functionality on the user's PC. This strategy may suit an organization with only a few users who deal with sensitive information. But the benefits of end-to-end encryption may be overshadowed by the risks associated with being unable to monitor these communications.
For instance, a user could employ the encryption system to facilitate the theft or transfer of trade secrets or other confidential information. End-to-end encryption also defeats content filtering and data leak-prevention systems designed to meet regulatory requirements.
A lesser known concern is an emerging legal standard regarding failure to enforce a monitoring policy--an obvious result if you can't read encrypted messages--which may lead to serious disadvantages in civil litigation.
Under certain circumstances, your company may be prohibited by a court from retrieving, for litigation purposes, the messages sent or received by a former employee in which she discussed legal matters concerning your company with her attorney. The "work product" doctrine and the attorney-client privilege (legal rules designed to protect the confidentiality of attorneys' files and their client communications, respectively), may kick in if you fail to enforce the "personal-use ban"--the common corporate policy restricting computer use to work purposes.