CIECA, Datatouch provide tips on PII protection, encourage shops move away from EMS exports | #itsecurity | #infosec


In the Collision Industry Electronic Commerce Association’s latest webcast, “Data Sharing in the Collision Industry and Its Unintended Consequences,” CIECA Executive Director Paul Barry and Datatouch Managing Director Pete Tagliapetra discussed the importance of collision repair shops transitioning away from using EMS exports to protect their customers’ personal identification information (PII).

“I believe we need to move away from the EMS standard and on to a more sophisticated standard,” Tagliapetra said. “A standard that took personal identification information into consideration and will be much easier for collision repair shops to manage and feel comfortable that they’re not giving their data away to anybody and everybody who simply wants to take it.”

EMS was intended and created only for internal shop use so external information security was not considered in the design, Tagliapetra and Barry said.

There is currently one alternative – BMS, which is already widely used, but EMS remains “entrenched” in the industry, according to Tagliapetra. CIECA is currently working on another alternative – API standards, or CAPIS.

For those not familiar with PII, it includes the name, address, phone number, and license plate number of customers and/or vehicle owners that come into shops. PII also debatably includes the VIN since it can be linked back to names, addresses, and phone numbers, Tagliapetra said.

“We need a solution that’s offered to shops that deals with segmentation that deletes the personal identification information before sharing that estimate with practically everybody and controls the repair data based upon the trading partner need,” he said. “An example I would use is if you’re a CSI provider, you certainly don’t need any repair information content. You need the contact information of the individual to complete the customer satisfaction index reporting. If you’re a parts provider, you don’t need the entire estimate. You just need the repair lines of the parts that are being replaced or that you’re asking that stakeholder to search for and/or procure from.”

Tagliapetra added that there is now enough visibility around the issue that shops are reaching solutions to meet regulatory requirements, which not all states have legislated and aren’t the same in the states that do have regulations on the books. California’s, for example, are “rather strict,” he said. While there, unfortunately, isn’t currently a way for shops to know if and what data pumps are installed on their computer systems and are still accessing data or to uninstall them, a solution to controlling data flow will likely be available sometime this year, according to Tagliapetra.

Data pumps used by parts suppliers and claims processing agents, as just a couple of examples, will continue to send data indefinitely to those businesses whether shops are still working with them or not until they’re uninstalled, likely including copying every estimate.

“Data privacy and information privacy are concerns, but the reality is businesses have to exchange information to do business,” Barry said. “Body shops need to buy parts; there’s salvage, rental car. There’s all kinds of players in the collision ecosystem and the need to exchange information is real and it’s necessary to the efficient operation of the industry and that’s why CIECA was formed.”

Nobody expected what was going to happen would happen when EMS was created, he added, but CIECA realized early on that there was a concern about the EMS standard of sharing data across the industry, which gave rise to BMS.

Barry said when it comes to data security and information privacy they’re often incorrectly defined or misused. Data security is like home security – “keeping the bad guys out” with routers, firewalls, VPNs, passwords, anti-virus software and more – while information privacy centers on policies and procedures businesses have in place to protect information.

“Every business has a responsibility to protect their own data and to implement their own data security,” Barry said. “CIECA standards have no bearing in this notion of data security – it’s something that each business needs to manage on their own.”

So, in the meantime, what can shops do to ensure they’re keeping their customers’ PII safe? Tagliapetra and Barry recommend shops:

    • Mark out vehicle owners’ and/or customers’ names and addresses before faxing estimates anywhere;
    • Make sure they know who they’re doing business with and what information they’re being given; and
    • Make sure employees know what they can and can’t share.

Tagliapetra said that unless PII is manually deleted, it will be sent out to many different places. “I don’t think it’s reasonable to expect the shop to do that on a day-to-day estimate to estimate basis. We have to apply technology to the process. And the good news on that is I do believe that is forthcoming. …As we look forward on how to address the issue there’s obviously a lot of work to be done. When you’re standing on the basement floor, however, there’s nowhere to go but up and I think pretty much that’s where the collision repair industry is with protecting personal identification information.”

A fallacy for shops to believe is that third-party providers can successfully manage PII and repair data, Tagliapetra said. “There’s no surefire way of really managing the data security successfully unless it happens at the very beginning when the shop writes that estimate.”

While Tagliapetra and Barry agreed it will take years for the collision repair industry to move away from using EMS standards, the more businesses that quit using it will speed up the transition.

“I don’t see any silver bullet that’s going to solve the problem,” Barry said. “It’s going to take businesses choosing to work with partners that will protect their PII. It’s going to take a push from the shop side of the industry to demand it, honestly. …We’re trying to make the tools available to the industry to use better information protections.”

IMAGES

Featured image: Datatouch Managing Director Pete Tagliapetra (left) and CIECA Executive Director Paul Barry. (Provided by CIECA)

“EMS Personal Information & Data Flow” slide. (Provided by CIECA)

More information

Presentation slides of CIECA’s May 24 CIECAST webinar can be found at www.cieca.com/ciecast-webinars#recent.

As vehicles collect more & more data, how can shops protect their customers?

Share This:





Original Source link

Leave a Reply

Your email address will not be published.

forty + = fifty