Greg,
I understand you are looking to modify your web messenger configuration so that it will only encrypt to external customers when certain conditions are met (Credit card data, ssn, etc.) It is possible, but difficult.
There was a recent thread where the same question was asked, and a very thorough answer was given. Please see : http://www.symantec.com/connect/forums/email-encryption-pgp-desktop-managed-client
There you will find instructions on how to create policy rules to kick off web messenger encryption for things like SSN and Credit card data. However, it is a difficult process, and we recommend thoroughly testing any policy changes that you make in a lab or test environment first.
Additionally, you may want to consider that the SEMS server can integrate with Symantec Data Loss Prevention. This would be a more professional and easier to support solution. I'll include the details on DLP and how it integrates with the product below. This information can be found on P. 169 of the SEMS 3.3.2 admin guide (or P.185 if you are viewing in a PDF reader)
"Symantec Encryption Management Server now integrates with Symantec Data Loss Prevention and Symantec Messaging Gateway powered by Brightmail.
- Symantec Encryption Management Server secures sensitive email and reports back to Data Loss Prevention with confirmation that messaging security is followed.
- Messaging Gateway sends outbound email to Data Loss Prevention.
- Data Loss Prevention scans the email, flags it for security violations or sensitivity, and then sends it back to Messaging Gateway.
- Messaging Gateway sends flagged email on to Symantec Encryption Management Server.
- Symantec Encryption Management Server processes the email through mail policy.
- Symantec Encryption Management Server then sends status confirmation back to Data Loss Prevention that the message was encrypted and sent out in compliance with security requirements."