I've been asked to forward this to the list from an anonymous reader.
1.) Has there been an audit of other data systems that store SSN -
regardless of its usage.
2.) What procedures are being developed/have been in place/have been
used to migrate away from SSN.
3.) If unavailable to remove their dependency in near-term on SSN, (e.g.
Payroll), what methods have been implemented to mitigate risk of release.
4.) Has a 'best practices' strategy been developed for any legacy
systems that use SSN information (either as keys or as attributes)
5.) What methods have been put in place to detect userbase leakage.
A formal response from ACNS would be appreciated.