So I recently went to work at a call center. Because we deal in confidential information, we’re required to verify each customer’s identity with their date of birth. I’ve had people refuse because of concerns of identity theft. This makes no sense to me because it’s not like this is a unique identifier like a social security number. But am I missing something here?
It doesn’t make a lot of sense in your case since you obviously know the date of birth of the person the caller claims to be. And while date of birth and name clearly do not form a unique identifier, I recently read the following in some guidance document relating to HIPAA regulations:
“It has been estimated that the combination of a patient’s Date of Birth, Gender, and 5-Digit ZIP Code is unique for over 50% of residents in the United States10,11. This means that over half of U.S. residents could be uniquely described just with these three data elements.”
One problem is that an identity thief might find out more information elsewhere, using DOB to as one piece of the picture.
As an example, I use a background check website to check up on employees, vendors and clients for my business. I can get results with just a name, but names are so common that it’s often very hard to know who I’m looking at. (Is it the John Smith with five domestic violence charges, or the John Smith who is an upstanding homeowner?) The website prefers that I enter a name and date of birth, which almost always narrows down the person to just one obvious option.
From there, I’ve got tons of information: prior addresses, prior names and aliases, family members, people they’ve lived with, criminal records, bankruptcy filings, civil judgments, etc.
If I received an unsolicited phone call asking for my date of birth, I would absolutely refuse to give it - I won’t even confirm the year or my age. On the other hand, I assume that you’re at a call center where people have called you. It seems pretty stupid to refuse to give you information in that case - you’re confirming their identity, not gathering information for the first time.
I was posting on my phone, so I wasn’t clear on my job.
I work at a call center where I have to make outbound calls as well as take inbound calls. My employer doesn’t cold call to make sales, my department calls current customers who are delinquent on their accounts. Because we do deal in financial information, we are required to verify identity with DOB or last four digits of the customer’s Social Security Number before we can give out demographic or any other information about the account. And that’s all we need DOB for. It’s typically on the outbound calls that people won’t give it, although I’ve had a few inbound callers who have refused.
My question specifically has to do with the fact that DOB is probably the least secure piece of personal information out there. My parents obviously know it, my husband knows it, my employer knows it, and probably a million people know it. So how much damage can it do that so many people get their backs up about it?
This is nuttery. You are asking them to verify the birthdate that you already have on file for them. Folks know that identity theft is an issue but they’re absolutely clueless about what’s important and what is not.
Finding someone’s birthdate is a fairly trivial task. It’s attached to all sorts of public records. As dracoi said, it’s one piece of several that could lead to trouble, but so is a person’s name.
Well… if my answer didn’t help, I’m not sure what more to say.
Date of birth is not necessarily public information, especially if a person is careful about what they reveal. (For example, one of the reasons I left FaceBook: while I can control my privacy settings for my profile, I cannot stop my friend from posting “Happy 40th!” on my wall. I know they mean well, but I do not want that information out there. Not everyone I’ve friended is someone I trust with that kind of information.)
Maybe it would help to look at it from the customer’s standpoint. What if an identity thief has your address, phone, name and SSN, but still needs a date of birth to open up that fake bank account? The simple solution is: Just call you up, pretend to be official and ask for it.
If I received a call from you, and thought you were legitimate, I would politely ask for the company you represent and for a number which I could call back. I’d double-check that number online and then call back myself. (If I didn’t think you were legitimate, I’d just hang up and not call back).