Last employer -- a major health care insurance carrier -- had over a million current and former subscribers data in SQL database with no encryption on SSN or other personally identifiable information. I reported this as an issue, and was told that since they had intrusion detection, etc. they don't need to encrypt the data. Guess they have never heard of zero day vulnerabilities or disgruntled employees?