There are 2 primary problems with secure information handling. The first is that the idea that most secure information released needs to be complete to be recognized as valid. This is not the case with complicated records. For example an individual wants to go to a car dealership to purchase a car on credit. It is thought that credit information required needs to be complete; this is false, what the credit officer needs to know is if the person before him/her is actually the person that is reflected on the credit report and what the credit score is as well as any comments on past credit history. Therefore the personal identification information like a driver's license number coupled with the last 4 digits of the SSN and the birth date will provide that proof of identification. The credit data is information that needs to be complete but the personal information that is utilized by thieves is still secure.
The second idea that is invalid is that the device that handles the secure information needs to be the same device that is used to access the information. This is particularly true of web access systems. What is needed is a type of version of the same system that humans utilize. The person responsible for securing the information is a different person who is responsible for the utilization of that same information. This system works well for people and will work well for computers. While the design philosophy that a user be allowed to directly access the information is more efficient (Please note the idea has driven the design of computer systems for over 40 years) it has not been successful in handling secure information.
There has been an attempt in doing this with the utilization of a “Secure” information vault on a server. The problem that faces security teams is that when hackers access a server, they always end up with the server's administrator privileges. This means that the “Secure” information vault now is controlled by the intruder. Once you loose the control, you loose the information. It is either compromised to outside sources or destroyed.