"This means they're going to be subject to scrutiny," said Daniel J. Solove, an associate law professor at George Washington University and author of "The Digital Person," a book about data aggregators such as ChoicePoint.

"The days of these companies living in a hidden underworld of information mining, information use and information trafficking will end," he said. "There will be more regulation and more rights for individuals."

ChoicePoint's shares tumbled $4.20, or 9.7 percent, on Tuesday and closed at $39.30 on The New York Stock Exchange. It lost an additional 24 cents in extended trading. The stock had traded at a 52-week high of $47.95 earlier in the month.

In Washington state the identity theft operation obtained financial information on 3,189 consumers, according to a state-by-state breakdown released Tuesday by ChoicePoint. The state attorney general's office has received a few inquiries but remained unclear on whether there was any pattern in how Washington was affected by the scam, spokesman Greg Lane said.

The company acknowledged on Feb. 15 that thieves apparently used previously stolen identities to create what appeared to be legitimate businesses seeking ChoicePoint accounts. They then opened up 50 accounts and received volumes of data on consumers, including names, addresses, Social Security numbers and credit reports.

The ring, which operated for more than a year before it was detected, used the information to defraud at least 700 people, according to California investigators.

ChoicePoint learned of the problem in October but, until this month, did not begin notifying the 144,778 people across the nation that it said were possibly affected by the identity theft scam. Initially, it only notified 34,114 Californians it said were vulnerable.

The company announced plans to rescreen its 17,000 business customers to make sure each one is legitimate, and said it has hired a retired Secret Service agent to help revamp its verification process. ChoicePoint said any business that is not publicly traded or not a government agency will have to be recredentialed to use its services.

"It will involve the revalidation of any information they previously provided as well as requests for additional information," Lee said. "Certain customers will receive site visits, but I can't be more specific than that because we don't want to reveal too much."

He said it could take up to 60 days to recredential the affected customers.

Once recredentialed, those customers will no longer receive access to consumers' Social Security numbers, dates of birth and driver's license numbers unless they are sponsored by a public company or government agency, Lee said.

The company said in a statement that it is seeking to "remove information in those segments where organized crime fraud is likely to occur."

The customers affected represent less than 5 percent of the company's $900 million in annual revenue.

The company has also paid for a one-year subscription to a credit monitoring service for each of the 144,778 people that may have been affected by the breach.

ChoicePoint said it is almost done notifying by mail all of the potential victims. California authorities have said as many as 500,000 people may have been affected, but ChoicePoint disputes that number.

"All I can tell you is our number is roughly 145,000, and we know that we're over-notifying," ChoicePoint marketing director James Lee said. "There will be duplications in there."

Formed in 1997 as a spinoff of credit reporting agency Equifax Inc., ChoicePoint has 19 billion public records in its database at its suburban Atlanta headquarters, including motor vehicle registrations, license and deed transfers, military records, names, addresses and Social Security numbers. The sheer size of its database makes it an industry leader in the data collection business.

"I hope that what consumers will do is begin to revolt," said Barry Steinhardt, director of the technology and liberty project at the American Civil Liberties Union. "We need to have much tougher privacy laws in this country."

Leaders in Georgia's announced plans Tuesday to require companies to notify the state's residents when their personal information may have been stolen.

Only California now has a law requiring such notification. New Hampshire, New York and Texas are considering similar bills, and U.S. Sen. Dianne Feinstein, D-Calif., reintroduced legislation last month for a national version of the California law.