Have we not learned anything?
Don't store info you don't need. Ideally don't collect info you don't need, but this is govt.
So check a driving record on hiring but don't store the license on a live system afterwards.
If you need to check SSN don't store it, or store a hash and ask people for it again if you need to verify. And ffs stop assuming knowing your SSN proves identity.
And if you must store data - silio it. The receptionist who clicked on a spam link shouldn't have full access to every field in every database and every file share.
This goes double for bosses, the higher up the tree you are - the less data you NEED direct access to.
Strangely this should have been obvious to high school kids 20 years ago so it's not like this is a "workplace boomers don't understand computers" thing