Any sensitive database should have the social security number protected through encryption and better yet, held separately from the primary database through foreign keys. Most databases support mechanisms to protect this sensitive information (even from Sysadmin accounts), particularly if data requests are made from off premise networks.
This shows complete disregard for the sensitive information of their customers - plain and simple. With this type information, it will be very hard for a customer to be alerted if their info is being used (eg payment fraud, etc). One year of protection is certainly not enough, IMHO.