CIC Committee Presentation: 86% of all quoted collision repair data could be available for sale | #itsecurity | #infosec


If you’re a shop owner, your customer’s personally identifiable information (PII) data — everything from full name, home address, email, cell number, VIN, insurance carrier, and more — could be compromised at the hands of a collision industry data aggregation company that’s providing or selling the data to at least one third-party company to sell the information back to the industry.

Aaron Schulenburg (Credit: Lurah Lowery)

Society of Collision Repair Specialists (SCRS) Executive Director Aaron Schulenburg shared details of his discovery with attendees of the July 21 Collision Industry Conference (CIC) meeting in Pittsburgh as part of the Data Access, Privacy & Security Committee’s presentation.

The third-party company Schulenburg spoke to, which he didn’t name, wanted to sell data that they said could be a business opportunity for his member shops so they can contact customers who recently received quotes from other shops, to solicit and capitalize on them having repairs completed at their shop instead. According to Schulenburg, the company confirmed the word “quotes” was being used as a stand-in for “estimates,” and that the quotes could be from insurance carriers or shops.

Schulenburg said the company told him, “Through our data aggregation partners and processes we collect 86% of all quoted collision repairs in North America whether the quote is taken through a body shop or an insurance carrier. In other words, when a consumer takes their car in for a repair – whether if it’s an insurance carrier or not – that data goes into our system within 24 hours.”

“The point here is not that they have this data but where they’re getting it from,” Schulenburg said. He added that he confirmed with the company claiming to have access to the information that they’re not getting the data from IPs, police reports, DMVs, or public registries. He indicated to the CIC audience that the company could not reveal who the data aggregator was, as it would be a recognizable source within the industry because data aggregation was not their primary business model – but represented a secondary source of revenue for them.

“This becomes a real-life story of the anecdote that we’ve talked about for a really long time — there’s a lot of good companies out there who are utilizing data to do the right thing for this industry and there’s at least one company who’s not doing the right thing,” he said. “There’s at least one company who’s turning it into a separate revenue stream to take the information that you shared with them for maybe one intended purpose and selling it to somebody else to sell for an entirely different purpose that you didn’t intend.”

In a panel discussion that followed with Silver, Golub & Teitell attorney Steven Bloch, Pete Tagliapietra with DataTouch, and Tom Allen with ConditionNow, Tagliapetra said Schulenburg’s discovery is an example of the “size and magnitude of the problem” that shops are faced with — how is the data being taken? The answer, according to Tagliapetra, is either data pumps or software controls running on shop computer systems unbeknownst to shop owners and employees that grab and scrape data from every saved estimate, aggregate and compile it then sell it to vehicle history reporting companies for “a nice profit margin.” And the kicker — there’s no way to know what data is being scraped if data pumps or software controls are running.

Frank Terlep (Credit: Lurah Lowery)

As part of an ongoing series of contributions to the CIC committee presentations, Auto Techcelerators CEO Frank Terlep and Car-Part.com CEO Jeff Schroder shared their methods for data capture and use of the VIN during the committee’s session. Both said they take only the data they need and they provide disclosures that say they won’t use it in any other way than agreed on or sell it to third parties.

Terlep’s three products use either full or partial VINs to identify, service, and/or calibrate advanced driver assistance systems (ADAS) and components as well as to find repair procedures and test procedures. 

Jeff Schroder (Credit: Lurah Lowery)

Schroder said he doesn’t take the EMS file off the PC — he only extracts the information he needs to search for parts and each shop can choose to provide the full or partial VIN or not provide it at all. He noted that it’s easier to figure out option codes for parts with the full VIN and providing at least the partial VIN makes for less hassle on the shop’s end.

“After we pull out the VIN and the part list and the things that are needed we send that out to our marketplace to search for parts,” he said, adding that Car-Parts.com doesn’t give VIN history to Carfax, Experian, or parts suppliers. “In our user agreement, we say that we won’t unless we get written permission from the shop. We have no intention of doing that.”

Dan Risley, CCC vice president of quality repair and market development, who serves as committee co-chair, said Carfax has denied the committee’s invitations to participate at CIC.

Risley said it’s important for shops to understand the data sharing difference between EMS and BMS. With EMS, the entire estimate file is sent out when shops choose to share it but BMS – which may actually represent a greater subset of data – can allow for the separation of data so that only pieces of it are sent out, presuming there is a software infrastructure to do so.

When it comes to data leaving shops’ hands, Allen had a bit of a different perspective on the issue. While he agreed that data sharing is an ethical and philosophical issue, he said it should also matter to shops because customers who are upset about their information going where they didn’t give consent will give the shop they took their vehicles to the brunt of their discontent. The shop becomes the “face of the issue,” he said.

“It doesn’t always have to be bad news,” Allen said. “…Our goal is to actually document that stuff in a way that is helpful to Mrs. Jones — not only did we fix your car properly, it was done via OEM-certified repair procedures but now here’s your report. …That’s controlling the narrative.”

That can be done through a three-phase process, he said. First, know who data is going to and how to control it and keep it protected in-house to keep your shop from the liability of it getting out by having the right disclosures in place. Then, provide customers with an option to keep their data from getting into the wrong hands and having negative ramifications, such as affecting the vehicle’s value, he said.

Bloch said shops should also keep in mind that information such as name, address, insurance company name, claim number, and plate number, can be collected from shops, which are the entry point of data, and combined to “potentially run afoul of” state and federal legislation that is being implemented. He said legislation “is only getting stricter with more scrutiny being paid to everybody in the [data] supply chain.”

“What’s important about that legislation that we need to understand is it covers the collection, use, and disclosure of that data and so you’ve got to understand and communicate to the consumer that’s coming in the specific use for which that data is being used,” Bloch said. “You can’t just use it down the supply chain for any purpose. It’s got to be limited to that specific purpose for which the consumer is seeking the product or the service. There are disclosures required of the data that’s collected.”

Tagliapetra made a point that shops perhaps may have not considered — “information going to the vehicle history reporting companies are the ice above the water line.”

“What’s below the water line? For shops, the below the water line is all of your DRP relationship information… your negotiated labor rate, who you have CRN relationships with and how you have that program put together, what labor rates you’re providing, who you buy parts from, what discounts you offer, what paint and material allowances – anything that can be cleaned off that estimate is being taken, compiled and aggregated and being used for other extensive purposes. You have to keep that in mind knowing that probably, or there’s a good chance, that there’s somebody out there who knows exactly how you’re running your business.”

Committee co-chair Trent Tinsley, with EHI, said that’s the reason CIC created Golden Rules of Data Protection and Sharing for the industry.

Risley said the committee will provide information and have a discussion on data chain of custody and approvals at CIC’s meeting in November.

IMAGES

Featured image: (Left to right) CIC Data Access, Privacy & Security Committee Co-Chair Dan Risley; Silver, Golub & Teitell Attorney Steven Bloch, Pete Tagliapietra with DataTouch, Tom Adams with ConditionNow, and Data Access, Privacy & Security Committee Co-Chair Trent Tinsley. (Credit: Lurah Lowery)

Presentation slides show all of the data that is sold by a third-party company after it’s collected by a collision repair industry data aggregator. (Slides provided by Aaron Schulenburg)

More information

Congress aims to protect PII, data privacy in new bipartisan bill

Ensuring cybersecurity connectivity in replaced parts a must for repairers

Share This:





Original Source link

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Your email address will not be published.

+ nine = fifteen