ATLANTA – ChoicePoint Inc. (CPS), a leading data warehouser, said the Securities and Exchange Commission (search) is investigating stock sales by its top two executives and the embattled company decided to stop giving personal information about consumers to small businesses. Its shares tumbled on the news.
The dual announcements were made Friday by the Alpharetta, Ga.-based company in a news statement and a regulatory filing.
The SEC probe involves sales of stock by chief executive Derek Smith and president Douglas Curling for a $16.6 million profit in the months after the company learned its massive database had been breached and before that was made public.
ChoicePoint's stock had dropped about 10 percent since the personal information breach at the data collector was announced Feb. 15. On Friday, ChoicePoint shares fell $2.43, or 6 percent, to $37.85 on the New York Stock Exchange (search).
Corporate governance experts say the pattern and timing of the trading by Smith and Curling raise questions, while ChoicePoint has said the stock trading was prearranged under a plan approved by the company's board.
The decision to stop selling data to small businesses was made because that was the segment of the company that thieves tapped into to gain access to ChoicePoint's database. Smith said in a statement that the decision follows "the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without a direct benefit to them."
ChoicePoint said it will stop selling information products that contain sensitive consumer data, including Social Security numbers (search), to small businesses, except in limited cases where the products support federal, state or local government purposes.
Last month, ChoicePoint said it was notifying about 145,000 Americans that their Social Security numbers and other personal information may have been viewed by criminals posing as legitimate ChoicePoint customers. The company said Friday that the number of potentially affected customers may increase, but it doesn't believe the increase will be substantial.
ChoicePoint has said repeatedly it learned of the breach in October, but delayed disclosing it because it said California authorities had asked it to keep quiet to protect the fraud investigation. It said in a detailed explanation Friday that it first learned of the possibility of fraud on Sept. 27. A similar breach involving 7,000 to 10,000 ChoicePoint records occurred in 2002.
ChoicePoint said Friday the SEC has notified the company that it is conducting an informal inquiry of the stock sales as well as the circumstances surrounding the possible theft of people's identities in connection with the breach of its database. The stock sales occurred between November and February.
ChoicePoint said it will cooperate with the probe and "provide requested information and documents to the SEC."
The company also said in a lengthy regulatory filing that the Federal Trade Commission is conducting an inquiry into its compliance with federal laws governing consumer information security and related issues.
The FTC has asked for information and documents regarding ChoicePoint's customer credentialing process and the recent incident in Los Angeles involving a Nigerian man who was accused of committing fraud using consumer information from the company's database.
The company said it is a defendant in several lawsuits and complaints arising from the breach. It said it could not estimate the financial impact on the company of the customer fraud and related events.
It wasn't immediately clear how many customers the decision on small businesses affects. ChoicePoint said Feb. 21 when it decided to rescreen 17,000 small business customers that that action affected 5 percent of its annual revenue of $900 million.
In Friday's regulatory filing, it said that because it will no longer sell information to small businesses, it expects a decline in core revenue this year of $15 million to $20 million.