If (big if) they are using the date of birth as a secondary ID validation AND also sending out happy birthday alerts, then unless they're very clever about how they do it, I'd wager good money that the date of birth is stored in open text in their database. Which would break the general principle of always encrypting anything related to security information.