WHEN SECRETS GET OUT

ChoicePoint Inc. is in the business of tracking and selling secrets: sensitive information like credit histories, and Social Security and driver's-license numbers. But now the firm's top executives are under investigation over whether they kept too many secrets of their own.

At issue: the sale of millions of dollars of company stock by ChoicePoint chief executive Derek Smith and president Doug Curling soon after the firm discovered a major security breach last September that potentially exposed 145,000 people to identity theft. After it was fully disclosed last month, and long after the executives began selling their shares, the bad news triggered a sharp drop in the stock price. On Friday, the company said the Securities and Exchange Commission had launched an informal inquiry into the stock sales--which the company says were part of a prearranged plan, put in motion before the breach occurred, to sell for tax and estate-planning purposes. SEC filings show the last sale was Feb. 23.

NEWSWEEK has learned that the SEC is also looking at the sales from another angle: whether the company failed to disclose important, potentially market-moving information at a time when company insiders were selling stock, one person with knowledge of the inquiry says.

A company spokeswoman says both Smith and Curling did nothing wrong, and adds that they were asked in writing in November by the Los Angeles County Sheriff's Department to hold off disclosing the breach until at least January, because publicity might compromise the investigation. (The company declined to provide a copy of the letter, but read a portion of it to NEWSWEEK.) A spokesman for the SEC declined to comment.

The timeline begins Sept. 27, 2004, when ChoicePoint first discovered it may have allowed identity thieves, who posed as legitimate businesses, to tap into its data-bases. In mid-October, a company security director notified the LASD. Two weeks later, just one day after ChoicePoint's board approved Smith's and Curling's stock sales, the police made their first and, so far, only arrest. ChoicePoint remained silent after the arrest, but on Nov. 9, Smith and Curling began to sell their stock, filings show. It wasn't until mid-February that ChoicePoint notified 35,000 potential victims in California, as it was required to by state law. In the weeks following the news, the stock price has dropped more than 17 percent.

Sorting out the facts is likely to be difficult for the SEC, which has to interpret often vague rules and conflicting accounts about when a company must disclose valuable information for investors. Columbia Law School professor John Coffee said that while the company may have "withheld material information to facilitate the prearranged stock sales" by the CEO and president, there could be more benign reasons. Indeed, ChoicePoint offers another explanation--namely, the letter from the LASD that told the company to "delay [the] notification" of alleged victims.

But even this explanation appears to be in dispute. Lt. Robert Costa of the LASD told NEWSWEEK that ChoicePoint might be misrepresenting the intent of the letter, written by one of his detectives. Costa said he informed ChoicePoint to begin disclosing its problems in early November, not long after the company reported the matter to his office. He says the department didn't tell ChoicePoint to hold off disclosing the problem--only to quickly hand over the names of potential victims first.

ChoicePoint can count on more scrutiny. Last Friday the company disclosed that the Federal Trade Commission had started investigating the security breach. And Sen. Patrick Leahy of Vermont, ranking member of the Senate Judiciary Committee, plans to soon hold hearings on identity theft. "Obviously the question of the stock sale will come up," says Leahy. Other lawmakers want increased regulation of the entire data-brokerage industry. ChoicePoint, meanwhile, has said it will start restricting who can buy the data it collects, to reduce the likelihood that identity thieves will gain access to its databases. Better late than never.