Data security certainly isn't something that's enforced very well, even by the agencies created to do so :-D. The company I work for handles some sensitive data that's required by law to have several layers of protection; however, we use vendor software for our operations. This vendor software was approved by the regulatory agency that created these policies.
Sadly, none of the data in the databases created by the vendor use even the slightest shred of the protection they're supposed to have. Encryption is only used on users passwords; the rest of the data in the databases is in plain text. Names, addresses, phone numbers, everything (not SSNs or credit card numbers, since we don't need those, thank goodness!). Even if these things were encrypted, the SA login name and password are stored in plain text in yet another table, along with the encryption key and hash. Joy!
Unfortunately, despite this vendor being contracted by the regulatory agency here, they've been operating for about 8 years without the slightest mishap in terms of inspection. How this happens is beyond me. Demanding that this sort of data be so heavily protected while you contract out to a company that doesn't even try is mind-boggling.