Nearly all SSNs have leaked by this point. The US needs a cryptography based ID system. That way each identification event is distinct, and each company gets a different (irreversible) derived ID for a person.

On that larger point I'd agree that companies should not have PII data they don't need.