New Information Security Poll

Yesterday I asked a few guys on the TCC SILC channel for ideas for a new poll. The first suggestion had to do with keeping SSN's. I thought it was ironic because there was a thread on a PCI mail list asking that very question. They guy on the TCC channel that suggested the SSN question was completely unaware of the PCI mail thread. Then when I got home I had a letter in the mail telling me that a company that has access to my PII had had it compromised. It was sold by an employee to a marketing broker. Who knows what happened to it after that. Part of the information that they had was my SSN. How lovely. Then on top of that I remembered a friend who works in a university environment that has had a couple of SSN incidents lately. So all of that combined made me think that a Poll on the validity of companies keeping SSN's was in order. So here is the question and you can rush to my web site to take the poll.

Is there a valid reason for companies (other than employeers) to ask for and keep SSN's?

This is a hot topic in the world of Information Security. Many think that there is no valid reason for any company to ask for them and definitely not to keep them. Then there are those who think that there is a valid business reason. Others argue that it depends on the industry. In my opinion SSN's and ANY PII (personally identifiable information) should only be used when absolutely necessary and storage of them should be kept to an absolute minimum and guarded like it was financial information. Customers are the life blood of any business and need to be treated as such.