The biggest takeaway from all of this? Personally identifiable information must be secured. Period. No more excuses. Whether customer or employee data, it's been provided to a corporation or government agency under an implicit trust that must not be taken lightly.
While many companies have done an adequate job in securing their networks, they need to be mindful of protecting the data, as both need to be secured. Having a framework that allows for a pre-planned, comprehensive strategy for securing data is really the only answer.
Takeaways for the consumer? Maintain a healthy dose of suspicion when requested to provide personal information. Phishing attacks became so common last year that every reputable financial firm announced they would not generally attempt to contact their customers via email in the event of an account issue, and if they did there would be no link in the email. So this problem is a focus, and hopefully other companies will develop similar procedures. A piece of advice is to never, ever give out personal identity information to anyone that calls. If your institution calls and claims they need such information, ask which department they work in and state you will call back. Do not take a number from the caller, but get the customer service number for the institution off a statement or their website and call that number, and ask if they are actually seeking the information and why.