If you’re a store owner, your customer’s personal identification data (PII) – everything from full name, home address, email, mobile number, VIN, insurance company, etc – could be compromised by crash industry data. aggregation company that provides or sells the data to at least one third party company to resell the information to industry.
Society of Collision Repair Specialists (SCRS) Executive Director Aaron Schulenburg shared details of his discovery with attendees at the July 21 Collision Industry Conference (CIC) meeting in Pittsburgh as part of the presentation of the Data Access, Privacy and Security Committee.
The third-party company Schulenburg spoke to, which he did not name, wanted to sell data that they believe could be a business opportunity for its member stores so they can contact customers who have recently received quotes from other shops, soliciting and capitalizing on them having the repairs done in their shop instead. According to Schulenburg, the company confirmed that the word “quote” was used to replace “estimates” and that quotes could come from insurance companies or shops.
Schulenburg said the company told him, “Through our partners and data aggregation process, we collect 86% of all quoted collision repairs in North America, whether the quote is done by a body shop. or an insurance company. In other words, when a consumer brings their car in for repair – whether it’s an insurance company or not – that data enters our system within 24 hours.
“The point here is not that they have this data, but where they get it from,” Schulenburg said. He added that he confirmed to the company claiming to have access to the information that it does not obtain data from IP addresses, police reports, DMVs or public records. He told the CIC audience that the company could not reveal who the data aggregator was, as it would be a recognizable source within the industry, as data aggregation was not their main business model – but was a secondary source of income for them.
“It becomes a real story of the anecdote that we have been talking about for a very long time – there are a lot of good companies that are using data to do the right thing for this industry and there is at least one company that is not doing the good thing,” he said. “There’s at least one business that’s doing it as a separate source of income to take the information you’ve shared with them for some purpose maybe and sell it to someone else to resell them for a totally different purpose that you had not intended.”
In a roundtable that followed with Steven Bloch, attorney for Silver, Golub & Teitell, Pete Tagliapietra with DataTouch and Tom Allen with ConditionNow, Tagliapetra said Schulenburg’s discovery is an example of the “size and scale of the problem” stores are facing – how is the is the data taken? The answer, according to Tagliapetraare either data pumps or software checks run on store computer systems without the knowledge of store owners and employees that retrieve and scrape data from each saved estimate, aggregate and compile it, then sell it to vehicle history reporting companies for “a nice profit margin”. And the kicker – there’s no way to tell what data is being fetched if any data pumps or software checks are running.
As part of an ongoing series of contributions to CIC committee presentations, Frank Terlep, CEO of Auto Techcelerators, and Jeff Schroder, CEO of Car-Part.com, shared their methods for entering data and using the VIN during the committee session. Both said they only take the data they need and provide information that they will not use it in any other way than agreed or sell it to third parties.
All three of Terlep’s products use full or partial VINs to identify, service and/or calibrate Advanced Driver Assistance Systems (ADAS) and components, as well as find repair procedures and test procedures.
Schroder said he doesn’t pull the EMS file from the PC — he pulls only the information he needs to find parts, and each store can choose to provide the full or partial VIN or not provide it at all. He noted that it’s easier to understand option codes for parts with the full VIN and that providing at least the partial VIN reduces hassle on the shop side.
“After we take out the VIN and list of parts and what is needed, we send it to our market to search for parts,” he said, adding that Car-Parts.com does not give VIN history. to Carfax, Experian, or parts suppliers. “In our user agreement, we say we won’t unless we get written permission from the store. We don’t intend to do that.
Dan Risley, CCC’s vice president of quality repair and market development, who serves as the committee’s co-chair, said Carfax declined the committee’s invitations to participate in the CIC.
Risley said it was important for stores to understand the difference in data sharing between EMS and BMS. With EMS, the whole estimate file is sent when stores choose to share it, but BMS – which may actually represent a larger subset of data – may allow data to be separated so that only parts are sent, assuming there is a software infrastructure to do so.
When it comes to data leaving the hands of stores, Allen had a slightly different perspective on the matter. While he agreed that sharing data is an ethical and philosophical issue, he said it should also apply to stores, as customers who are upset that their information is going where they have not given their consent will give the shop where they took their vehicles the brunt of their displeasure. The store becomes the “face of the problem”, he said.
“It doesn’t always have to be bad news,” Allen said. “…Our goal is to document these items in a way that is helpful to Mrs. Jones – not only did we fix your car properly, it was done via OEM certified repair procedures, but now here is your report. … It’s controlling the narrative.
This can be done through a three-phase process, he said. First, know who the data is going to and how to control and protect it internally to prevent your store from being held liable for its disclosure by putting the right disclosures in place. Then, give customers an option to prevent their data from falling into the wrong hands and having negative ramifications, such as impacting vehicle value, he said.
Bloch said stores should also keep in mind that information such as name, address, insurance company name, claim number and plate number may be collected from stores, which are the data entry point, and combined to ” potentially violate” state and federal legislation being implemented. He said the legislation “only gets tougher with more scrutiny from everyone in the [data] Supply Chain.”
“What is important in this legislation that we need to understand is that it covers the collection, use and disclosure of this data. So you must understand and communicate to the consumer the specific use for which this data is used.”, block said. “You can’t just use it in the supply chain for any purpose. It should be limited to the specific purpose for which the consumer is seeking the product or service. There are required disclosures of the data that is collected.
Tagliapetra made a point that stores may not have considered – “information passed to vehicle history reporting companies is ice above the waterline.”
“What’s below the waterline? For stores, below the fold is all of your DRP relationship information…your negotiated labor rate, who you have CRN relationships with and how you set up this program, what labor rates labor you provide, who you buy parts from, what discounts you offer, what paint and material allowances – anything that can be cleaned from this estimate is taken, compiled and aggregated and used for other purposes stretches. You have to keep that in mind knowing that probably, or there’s a good chance, there’s someone out there who knows exactly how you run your business.
Committee co-chair Trent Tinsley, along with EHI, said that’s why CIC created the Data Protection and Data Sharing Golden Rules for the industry.
Risley said the committee will provide information and discuss chain of custody of data and approvals at the CIC meeting in November.
Featured Image: (Left to right) Dan Risley, co-chair of CIC’s Data Access, Privacy and Security Committee; Steven Bloch, attorney for Silver, Golub & Teitell, Pete Tagliapietra of DataTouch, Tom Adams of ConditionNow, and Trent Tinsley, co-chair of the Data Access, Privacy, and Security Committee. (Credit: Lurah Lowery)
The presentation slides show all data sold by a third-party company after being collected by a collision repair industry data aggregator. (Slides provided by Aaron Schulenburg)
Congress aims to protect PII and data privacy in new bipartisan bill
Ensuring cybersecurity connectivity in replaced parts is a must for repairers