Sorry, I just want to add that we have to get to a point where we make the data almost useless. What is important is the validation that comes with the data. Therefore, if there is an attack—a social engineering attack or otherwise—where the data is collected by the attackers and somehow attempted to be invoked into the system, it's rejected because it's not coming from a validated source.
We want to make our personal information, on its own, useless. Give it to the attackers. Fine. They can't do anything with it it because they can't validate it properly.