On reading this post, I immediately thought of sending companies email about risks as a way to inject potential liability into their decision process. "Hey, I cut my finger on your sharp holiday ornament. You should get that looked at." Then, when there's an ornament class action suit, it can be shown that they ignored the information. More to the point, in theory they might be motivated to preemptively address the risk to avoid this newly enlarged liability, especially if legal counsel is copied. It's slightly fanciful in the real world, but that's the theory.
So yes, I would not be at all surprised if the email whitelist practice is in part to avoid liability.
Great point. In a lot of cases, we're too reactive to perceived risk rather than not enough. I have a hard time guessing whether enforcing that through litigation is worse than regulation, which has its own iffy track record.