Protect Your Gold: Data Privacy Concerns and Solutions
by Chasidy Rae Sisk
What happens to personally identifiable information when a vehicle is in the shop for service or repairs?
Social security numbers. Driver’s license numbers. Vehicle identification numbers. Personally identifiable information (PII) is “any information that permits the identity of an individual to be directly or indirectly inferred,” per the U.S. Department of Homeland Security’s website.
In today’s digital economy, PII is incredibly valuable – its position as such a prize has led to data being dubbed “the new gold.” This claim rings particularly true in the automotive industry where modern vehicles know more about their drivers than the vehicle owner knows about their car. But what happens to all this data when the vehicle is in the shop for service or repairs?
Many benefits come from the ever-increasing technology turning our transportation into supercomputers on wheels, such as improvements in safety and convenience factors, but those same systems that improve the driving experience also pose potential privacy hazards by collecting – and potentially sharing – vehicle data. What a scary thought!
What’s even more frightening? Shops commonly find that this data has been accessed without their knowledge or consent. Data pumps constantly monitor the estimate management standard (EMS) export routine, so once the data file is exported, those data pumps create and transmit copies of that exported data. Even once a shop stops using a specific resource, the data pump will continue to send information to that provider indefinitely until it is uninstalled…often without the shop realizing what’s happening.
So, who does collect that data, and why?
“Numerous entities collect data in the collision and auto claims industry, and in some cases, the data is collected as part of processing a collision repair or auto claim,” Jack Rozint (Mitchell International) stated. “Some uses of data are for very specific purposes, and parts providers, rental companies, and information providers are examples of entities that collect data as part of the business services they provide. For example, car rental companies often collect data from the estimate [related to] labor hours which helps them predict the length of the rental and allows for better management of the rental cycle for their insurance partners.
“Others, such as the vehicle history companies and data aggregators, specialize in data aggregation around the entire auto ownership lifecycle and will purchase data from entities within the collision and claims industry as well as from government agencies, tow companies and auto mechanical repair shops,” Rozint added. “These are just a few examples – and in fact, the data from a single estimate may wind up in dozens of databases. While the amount paid for one data transaction is small, the number of transactions can be very large, resulting in millions of dollars in data value per year.”
But how are these entities obtaining that valuable data?
“Estimate information – including personal identifiable information (PII) and repair data – is being shared with a vast number of industry trading partners a shop does business with,” explained Pete Tagliapietra (DATATOUCH, LLC). “A trading partner installs a software control, commonly referred to as a data pump, to monitor the estimate directories, and as it monitors those directories, it automatically grabs that EMS export to provide access for that trading partner to use that information to meet the needs of the collision repair shop. But it also grants them access to a voluminous amount of information in many situations.
“Imagine a number of tentacles reaching out to access this information in an uncontrolled way,” he continued. “They want certain information, but they’re not only receiving that manufacturer’s information; they’re getting all of the estimate information, allowing them to aggregate and repurpose it. Not everyone is doing this, but several companies are collecting data for various financial reasons. And shops have little to no control.”
A large part of the problem lies with the EMS export itself. Intended for internal use only, no security functions were built into the export. Yet, within the repair shop space, data pumps have become the standard way for shops to communicate with their trading partners, and unfortunately, that has led to information misappropriation, according to Tagliapietra.
As an example, he described a situation in which a shop writes an estimate and repairs a vehicle, and within a few days, information shows up in CARFAX. The shop has no clue how it got there, and the customer is angry that their information was shared.
AASP-MN News reached out to CARFAX to find out where it obtains data, how data can be obtained without permission from the consumer or the shops, and how shops can protect themselves from data being inadvertently shared.
“More than 131,000 data sources across North America report information to CARFAX,” CARFAX Public Relations Director Emilie Voss responded to our query. “The details associated with a single event on a CARFAX report may have been reported to CARFAX from several sources, both public and private. CARFAX recognizes the importance of accurate information, and therefore, the Help Center on carfax.com provides an easy, quick way to send CARFAX requests for data verifications and corrections.”
“Based on my information and beliefs, CARFAX receives the vast majority of its collision repair data from industry stakeholders who gather and sell this information to vehicle history providers,” Tagliapietra dissented. “They’re being paid handsomely for data they acquired for free, but I don’t believe people are considering the consequences of how this data is being used. Consumers are typically unaware that their data has been shared until they decide to trade their car in and the dealer informs them that it was in an accident.”
Although consumers may be aware of data being shared in some cases, “more often, they are not aware of most data sharing that occurs,” Rozint acknowledged. “The consumer typically drops off the vehicle to be repaired and doesn’t think much about the numerous transactions that will occur during the repair process in which their data might be shared. Even the repairers are sometimes unaware of all the data sharing that might occur based on the work they are processing. With consumer data privacy becoming a hot topic, it is much more important for repairers to understand all of the data sharing that is occurring and for them to secure the consumer’s written permission to share data as necessary to process the repair.”
For over 30 years, EMS has been used in hundreds of applications and services, and “it is reliable and has proven to work well for the industry,” Rozint insisted when questioned about why the industry has not yet converted to the Business Message Suite (BMS) standard. “If EMS were ended abruptly, numerous applications and services would immediately stop working and would require users to rekey data or switch applications. For many applications that use EMS, the data stays within the four walls of the business. In these internal business processes, there is low risk of data being compromised and so continued use of EMS does not present a problem.”
The problem arises in regard to data control…and the absence of any such control creates a lot of concern for many shops.
“Shops need an efficient way of sharing information with the trading partner, but they also need an effective solution that allows them to control and manage their information so they’ll know exactly what information is being sent and who receives it, plus they must be able to eliminate the customer’s and vehicle’s PII,” Tagliapietra believes. “Shops are not informed that their information is being pulled and sold to benefit their partner’s business without their knowledge or consent, and I feel shops deserve the right to decide what information they want to share and who they want to share it with.”
Industry experts considered how shops can protect their data and provided some suggestions.
“First, understand local and federal laws related to data sharing,” Rozint offered. “Second, work to understand all of the data sharing that is occurring based on the applications and services being used in the business. This takes time but is critical to ensuring that your business is protected. Third, choose providers that have a written commitment to data protection and have a proven track record of both protecting data and not restricting users access to their own data. Most importantly, beware of software companies with large market share that promise to ‘protect’ your data by restricting access.
“Data is becoming the ‘gold’ in most industries with the data having value to multiple public and private entities years after the claim is settled and the repair is complete,” Rozint added. “If companies with large market share are the only ones with full access to all industry data, they can restrict competition and increase pricing while leaving repairers with no market alternatives. If any company in either your personal or professional life promises to ‘protect’ your data through a service that they control and in doing so will restrict your access to your own data, you may want to think very carefully about how much control you are relinquishing.”
While BMS offers some security because it allows for segmentation of data, EMS is “so entrenched in the industry that there’s no motivation to change,” according to Tagliapietra. “It’s up to the information providers and industry trading partners to stop supporting EMS. In the meantime, the majority of collision repair shops have no idea that there are data pumps running and collecting information for particular entities with whom they wouldn’t want to share their data. Those data pumps continue to operate ad finitum, and it’s hard to find, identify and uninstall illegitimate data pumps.
“It aggravates me that shops are giving data away – and have been for a long time,” Tagliapietra opined. “There’s currently no foolproof way to prevent it, but we are hoping to change all that.”
Recognizing the industry’s need to control its data, Tagliapietra launched DATATOUCH, LLC earlier this year. The software monitors EMS directories, identifies all the software controls copying exported EMS data and alerts the shop to any illegitimate data pumps that may be running.
“Shops have no option to inform them what data pumps are running on their computer systems and who installed them,” he emphasized. “They don’t have the ability to easily detect and remove them, and they’re unable to manage their information to avoid sharing PII, which is a huge issue. Shops must be able to control the amount of repair data that’s shared to minimize the overall exposure of that data being repurposed.”
DATATOUCH’s software is designed to locate illegal data pumps running in a shop’s environment, and if found, they can also license software to help them remove those data pumps. Additionally, shops will have the ability to configure each legitimate data pump to eliminate transferring PII. DATATOUCH expects to make its software available to the industry in the third quarter of 2022.
Tagliapietra reiterated the benefits of converting to BMS but noted, “Until that happens, DATATOUCH wants to provide the collision repair industry with the software tools to eliminate the unwitting data sharing that currently occurs and which has been happening for over 20 years. We haven’t seen any other options out there for shops, so we’re basically on the basement floor with this issue – and that means there’s nowhere to go but up.”
Data sharing presents many possibilities – both positive and negative – for shops to consider, and knowledge is power. At AASP-MN News, we want to empower our readers with the information you want most. What do you need to know? Reach out and let us know how we can help provide the knowledge you need!
Want more? Check out the August 2022 issue of AASP-MN News!