At the moment all of our encrypted stuff is encrypted before it is passed to the database.
(C# Framework 4.0 if you care) This means I mostly don't have to answer questions about packet sniffing and other network related weirdness.
But note that we currently don't have an offering for sensitive data (HIPA, etc.), the closest we come is PII (no SSNs) which is honestly either available through other channels already or subject to FOIA.
There is already a group here that handles payment cards and they are on a certified systems with two factor authentication, etc.
Edit: SSN == social security numbers, FOIA == freedom of information act