Your role, as a qualified member of the IT staff, is to make the higher-ups aware of the risks. Do your due-diligence, tell them the data isn't secure (in person, in e-mail, and maybe even on paper), and remind them from time-to-time (using creative new analogies whenever possible). That's it, you've done your job.

The fact of the matter is, regardless what the policy is, and regardless what they all "agree" on, they're going to put sensitive information on the Web. You'd have to take away their Internet access and portable devices to prevent it, and even then, they'd just go home and use that.

Accept that the best you can do is educate them and provide alternatives.

At some point, because of the failure to protect privacy, would not "identity" become meaningless, since there will be no reliable way to confirm it?

If identity theft becomes so rampant that credit card companies and banks are losing serious money, they'll remove credit options, meaning much, much lower lines of credit and/or fewer credit cards (as vendors get out of the business).

And when does "identity theft" become a preferable alternative for people that would otherwise declare bankruptcy? "No, that wasn't me that ran up that debt, it was someone that 'stole my identity'! Now please clear my record and let me be about my business."

People are stealing legal "identities" of new-borns, before any personal identity has developed. I'm sure there are/will be cases where the (adult) victim will discover that someone else has a long-established history with his/her identity. Then what?