The bank has the responsibility of verifying the customer's identity over the phone and knowing the customer, but I don't believe the SSN is mandated. Anything you can think of could be used, ranging from mother's maiden name, to date and amount of last deposit, to a prearranged password. It should be something that only the customer should know and quite frankly, SSN isn't all that reliable as an identity thief could obtain that information easily.
If your system allows it, for this customer perhaps you could arrange a password and note it on their accounts. Then anyone who happens to take the call would see that unless they give this password, no information is to be given over the phone. It would appease the customer and show them that your bank does take the privacy issue seriously.
_________________________
'Never' is karma's doorbell.
Ding ding!
It's for you. . . .