ATLANTA -Embattled data broker ChoicePoint Inc. said yesterday that the Securities and Exchange Commission is investigating stock sales by its top two executives.
The company also announced that it is strictly limiting sales to small businesses of consumer information.
The SEC investigation was prompted by revelations that Chief Executive Officer Derek V. Smith and President Doug C. Curling earned $16.6 million on sales of ChoicePoint stock after the company learned of a major security breach but before it was made public.
The breach, uncovered last fall but not announced until Feb. 15, involved people who posed as small-business customers to gain access to sensitive data that was used to steal identities.
ChoicePoint collects data on individuals, including Social Security numbers, real estate holdings and current and former addresses. It has about 19 billion records, and its customers include insurance companies, financial institutions and federal, state and local agencies.
The company's stock has dropped more than 17 percent since the breach was made public. Yesterday, ChoicePoint shares fell $2.63, or 6.5 percent, to close at $37.65 on the New York Stock Exchange.
Smith told the Associated Press in an interview yesterday that he did not learn of the breach until late January, though Los Angeles County detectives made their first arrest in the case in October.
Last week, Smith was quoted by the Atlanta Journal-Constitution as saying that he didn't learn about the breach until late December or January.
"There is no way that a CEO can know everything that is going on as it relates to an operation," Smith told the AP yesterday. "I am not involved in the day-to-day operations of the business."
Smith said ChoicePoint didn't grasp the magnitude of the breach until this year.
Asked whether he would resign over the matter, Smith said, "I have no intention of leaving the company."
Corporate governance experts say the pattern and timing of the stock trading by Smith and Curling raise questions. ChoicePoint says it was prearranged under a plan approved by the company's board that was announced Nov. 3.
The personal information of 145,000 Americans might have been compromised in the breach, and authorities say about 750 of them were defrauded. Consumer advocates have called for federal oversight of the loosely regulated data-brokering business, and congressional hearings are to be scheduled on the issue.
In an interview with the AP last week, Smith said: "We voluntarily found the breach [in October] and notified law enforcement." He said yesterday that he didn't mean to include himself in that reference.
Smith said the decision to strictly limit information sales to small businesses follows "the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without a direct benefit to them."
ChoicePoint said small businesses will be permitted to purchase its data only in certain cases, such as when the products support federal, state or local government purposes. The company's 17,000 small-business customers account for about 5 percent of its annual revenue of $900 million.
Last month, ChoicePoint said it was notifying people who might have been affected by the breach.
The company said yesterday that the number of potentially affected customers might increase but that it doesn't think the increase will be substantial.
ChoicePoint has repeatedly said it delayed disclosing the breach for several months because California authorities had asked the company to keep quiet to protect the fraud investigation.
It said yesterday that it learned of the possibility of fraud Sept. 27.
A similar breach involving 7,000 to 10,000 ChoicePoint records occurred in 2002 but did not become public until it was reported by the Los Angeles Times this week.
ChoicePoint said the SEC has told the company that it is conducting an informal inquiry into the stock sales and the circumstances surrounding identity thefts in the breach of its database. Critics say ChoicePoint's evaluations of small-business customers were far too lax.
The company also said the Federal Trade Commission is conducting an inquiry into ChoicePoint's compliance with federal laws on consumer information security and related issues. The FTC has asked for information and documents regarding ChoicePoint's customer-credentialing process.