A couple of loose ends...

Re complex passwords. Should be enforced if possible. The network I audited includes some specialized devices that, for example, don't allow lower case or special character data entry. They also have both Windows and Linux. You can substitute length for complexity. They have chosen to require long (12 character) passwords to avoid compatibility problems. This is a new requirement based on my recommendation. Now, if they can just get the employees to actually use 12 characters ...

This may be well known but for our non-USA members, SSN means Social Security Number, the closest thing we have to a national ID. Its supposed to be confidential but your employer, insurance agents, doctor, creditors, .... have to know it. My phone number is more confidential.

As to date of birth, most people will tell it to a perfect stranger (Hi, we're giving away wide-screen TVs to selected idiots. I just need to know your DOB ...)

Reminds me of a test from a few years back. People in a London train station were offered a cheap pen if they would reveal their office password. I have forgotton the details but 70 or 80% told.

Social Engineering - Most of the newsworthy exploits depended on SE. Its impossible to prevent but tell your telephone operators and customer assistance people (and remind them monthly) that they must not give out personal info no matter how unimportant it seems. No one's birthday, middle name, that they're on vacation, nothing. Most people want to help and its hard to make them remember that a sad story may be false. Also, shred your sensitive paperwork before discarding. Dumpster diving has yielded some of the most valuable data used in hacks.