Tom Mollerus' Weblog

Yesterday an issue came up at the office that I wanted to ask the rest of the community about: we had a person call in, identifying themselves as being from a large law firm, asking for the names of those people from her firm who were signed up for our services. My company offers web-based financial services by subscription, so it's not at all uncommon for us to have customers from financial and legal firms, and to get calls from them asking about their accounts. Sometimes we even have a relationship with one person at a company who doles out bulk-rate subscriptions for our services to their colleagues.

What was notable about this caller, however, was that we didn't have a prior relationship established with this person or company, and we really had no way of verifying that they were who they said they were. My colleague who was taking the call put this person on hold and asked me whether he should grant this person's request; my answer was to have him say that while he could tell the caller how many people from her company were signed up with us, we were not allowed to give her their names. We did offer to contact them on her behalf to ask them to get in touch with her.

These kinds of calls, while not frequent, are somewhat common. For instance, we get secretaries calling on behalf of busy lawyers, or the folks from the finance department who've noticed our company's name as a charge on the company credit card and want to know who placed it. I'm sure this happens to other web-based businesses as well. So my question to the rest of you is this: how do you handle requests for customer account information? Do you take any measures to verify that the caller's stated identity is authentic? If a third party calls and asks for information about other people, how do you handle it?