" If the first, you're hosed. You can't prevent every possible way of infringing, no matter how hard you try. "
Actually, using a whitelist proxy and firewall rules (deny all, allow email server, proxy server) you can prevent every possible way of infringing. Simply deny all, allow work related domains through proxy. Let them do the rest of their surfing on their smartphones, give them a slight raise and make them pay for their own phones (so if they steal with their phones, it's their own account). Strip all email attachments except pdf and office docs. Limit message body size. Limit attachment size Rate limit incoming email messages and alarm on unusual activity (more than 10 messages from one address, 250k email limit with a file upload script on your web server for larger files, which sends them to quarantine)
Done... This will immediately shutdown all p2p in your network, break pirate bay, warez sites, warez news servers, child porn, and lots of other badness.
Provide three examples of high dollar infringement settlements to your CEO/CIO, offer your solution. Let THEM decide if a week of your time adding domains to a list and setting up a security model that works is cheaper than getting sued. You'd be killing a lot of birds with one stone.
Simply tell them you can prevent everything with a white list solution,or you can do it some other way and the company will always be one step behind it's employees' p2p efforts.
This will have the added benefit of greatly reducing your attack surface due to web surfing as well. Default deny is the only truly secure way to run your network.
If you have already implemented default deny and defense in depth, you don't need to do anything to comply with this law except clean out the stuff you don't know from the white lists.
This completely eliminates the need to monitor your employees and track their activity. You don't need to monitor known goodness.