The inquiry and the planned business changes, announced Friday, both come on the heels of a scandal that.
Now, the company says it will no longer sell "sensitive" data, including Social Security and driver's license numbers, "except where there is a specific consumer-driven transaction or benefit, or where the products support federal, state or local government and criminal justice purposes," CEO Derek Smith said in a statement.
Despite ChoicePoint's pledge to change its business practices, the company is already preparing for a tidal wave of potential legal activity because of the data scandal. The Federal Trade Commission, the U.S. Securities and Exchange Commission and a number of state attorneys general have already informed the company that they have launched investigations into various aspects of its operations. In a document filed with the SEC, ChoicePoint detailed claims brought by those officials and described new calls for the review of commercial data-handling procedures by "a number of congressional leaders."
According to the filing, the SEC is also conducting an "informal inquiry" into the possibility that Smith violated trading laws in some recent stock transactions. The company said the FTC is investigating its compliance with federal laws on consumer information security, specifically how ChoicePoint verified the credentials of the people allegedly responsible for the data theft.
Smith could not immediately be reached for comment.
Atlanta-based ChoicePoint provides consumer data services to insurance companies, other businesses and government agencies.
Last month, the company revealed that scam artists had gotten access to personal data on about 145,000 people, resulting in at least 750 cases of identity theft. The scandal has prompted calls forto protect consumers' privacy rights.
A separate lawsuit targeting ChoicePoint has been filed in Los Angeles Superior Court by a woman who has accused the company of fraud and negligence for its alleged inability to protect consumers' data.
Now the company says it is planning substantial changes to its business. It will sell personal information only if the data is needed for one of three general reasons: to support consumer-driven transactions necessary to maintain relationships such as those with insurers or employers, or to provide consumers access to their own data; to provide authentication or fraud-prevention tools to large, accredited corporate customers where consumers have existing relationships; or to assist federal, state and local government and criminal justice agencies.
ChoicePoint said it will continue to serve most of its customers. But the changes will affect the availability of its products in certain markets, particularly to small businesses.
In addition, the company said it will set up a credentialing, compliance and privacy office, which will report to the board of directors, to oversee improvements in customer credentialing and set up a faster incident-reporting process.
The changeover should be completed in the next 90 days, ChoicePoint said. The moves are expected to cost the company between $15 million and $20 million in sales during 2005 and to reduce earnings per share by 10 cents to 12 cents.
"These changes are a direct result of the recent fraud activity, our review over the past few weeks of our experience and products, and the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without a direct benefit to them," Smith said in the statement.
"We apologize again to those consumers that may be affected by the fraudulent activity. We remain committed to helping them take active steps to protect their personal data and to assisting law enforcement officials who are investigating the attacks on consumers' identities."