The federal government has gotten more and more involved in the regulation of information security in a variety
of industries. If you provide any services in a regulated industry, you could be responsible for meeting security requirements, including email security. Healthcare is defined by the HIPAA security rules. Educational institutions are governed by FERPA. Institutions that conduct financial transactions could fall under one or more sets of requirements, including PCI if you accept credit card data.
You need to understand what your responsibilities are regarding protection such as email security, so appropriate steps can be taken to ensure that protection exists. No one wants expensive fines from government agencies, but the costs of lawsuits, bad press or loss of client confidence could potentially be the final nail in the coffin for your business.