personally, with ssn's and such at stake i'd do both... flat out tell them that I personally will not work on the project unless they are willing to adapt and allow for encrypted data and encrypted streams...

but that might just be me, others might not care... which from what i've read is the stance your company has... that aslong as they can't be held responsible they don't care what goes on.