I wonder if you're being modded funny for implying that Java is a knockoff of .NET, because that is pretty funny. Or sad...

No offense, but I've always suspected that the biggest reason companies have irresponsible policies like the one described in the OP is because of irresponsible programming like you just described.

In order to perform collision detection, there is absolutely no reason that you couldn't track the SSN separately from the primary key on your "customers".

I'm not big on regulation, but there really should be a law preventing the usage of SSN as a PK in any data storage schema.