Following the Collision Industry Conference (CIC)’s July 21 panel discussion on the issue of customer and shop data privacy in the collision repair industry, Repairer Driven News sought to find out some solutions business owners can use to prevent personal identifiable information (PII) from falling into the wrong hands.
Two solutions come from an attorney and data expert in the industry that participated in the CIC Data Access, Privacy & Security Committee’s panel – Steven Bloch with Silver, Golub & Teitell and Datatouch Managing Director Pete Tagliapietra.
Bloch pointed out there are existing laws in every state on data privacy and new legislation is becoming stricter about the responsibilities each party in the data supply chain has to the owners.
For example, two states – Virginia and Florida – have both passed legislation that will be effective next year to better protect residents’ PII. The Virginia Consumer Data Protection Act, effective Jan. 1, will give residents the right to know who has their data, opt-out of it being used, to correct any inaccuracies, have the data deleted, and to obtain a copy of the data that controllers have about them. Controller is defined under the law as “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.”
The law will also hold businesses that meet certain jurisdictional thresholds to new and additional data collection and protection obligations, including limiting “the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.”
Effective next March, Floridians’ PII found in vehicle crash reports and traffic citations will be safeguarded by state law with the passage earlier this year of a bill by both sides of the legislature to restrict public access to the data. SB 1614, and its House companion, amend current law to prohibit the release of crash reports that contain the home or employment street addresses, driver license or identification card numbers, dates of birth, and home and employment telephone numbers of the involved parties to the public, including media outlets. The same information found on citations is prohibited from release as well as vehicle license plate and trailer tag numbers.
Bloch told Repairer Driven News California is at the forefront of protecting consumer data and addressing the disclosures that need to be given with Virginia, Utah, Vermont, and Connecticut following suit with similar laws to increase protections and outline what consumers can do to prevent their PII from being shared.
A bipartisan and bicameral bill was also introduced in the U.S. House last month to protect consumer data collection and privacy across nearly all sectors, including automakers and car dealers. H.R. 8152, the “American Data Privacy and Protection Act,” seeks to “provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.”
“The overarching theme is we’re all marching toward a world in which federal and state legislation enhance and heighten the obligations with respect to data that all the players in the supply chain have and the disclosures that are required for consumers so that they can give informed consent and acknowledge how the data’s being used,” Bloch said. “And understand what the purpose of its use is and what they may be able to do to prevent sharing of the data, if it’s appropriate.”
Data privacy solutions
Datatouch will begin alpha testing of its software product during the second week of August and should be commercial by late September/early October, according to Tagliapietra.
“Datatouch is all about giving the collision repair shop, or shops, total control over their repair information,” he said. “Repair information obviously includes personal identification information as well as their repair data.”
The Collision Industry Electronic Commerce Association (CIECA)’s EMS standard was released in 1994 and its purpose was to provide collision shops the ability to import estimate data into any body shop management system through the standard, he added. However, Tagliapietra said, “That standard did not provide any type of data security. It was an open standard. Data security wasn’t even thought about or talked about at that time.”
CIECA is currently working on a new set of of JSON- and Open APIs (CAPIS) standards to supplement its current Business Message Suite (BMS) standards and to provide developers with a new option to create collision industry software. The first CAPIS release is slated for October of this year.
The point has been made that BMS exports allow data to be segmented, which Tagliapietra said is a big step in the right direction. However, he said the function isn’t completed by shops — it’s sent to one of the estimating systems – CCC, Audatex, or Mitchell – to be done, which means there’s no security of the data because the full estimate files have already left the shops’ systems.
Tagliapietra noted that unsecure data exports leads to situations like one that Society of Collision Repair Specialists (SCRS) Executive Director Aaron Schulenburg recenlty discovered and shared during CIC’s meeting last week in Pittsburgh. He found that at least one third-party company is buying data from a collision industry data aggregation company to sell the information back to the industry.
“We have information being disseminated throughout the industry and collision repair shops have not been concerned about that over the years until recently where it’s gotten a lot of momentum and visibility,” Tagliapietra said. “What we realized here at Datatouch is when we looked at the issue and problem and the regulatory issues that were surfacing — California, Virginia, et cetera — where regulators were becoming aware of the issues and the sensitivity with sharing personal identification information. We’ve also realized how for-profit companies are aggregating and compiling that data and re-selling it.”
That includes vehicle history companies, such as Carfax and Experian, he added.
The key takeaways about what Datatouch will offer to shops are default protection of PII before software controls, also known as data pumps, ever have access to it, and audit shop computer systems to see if data pumps are running and remove any that aren’t needed. The audit is the first step of the process to identify and remove unauthorized data pumps and would come with a one-time fee. Shops can then subscribe for a monthly fee.
“The other thing that we can do, and will do, for the shops is we’ll give them total control over the estimate content. For example, we really need to understand who needs the VIN and that list is very short. …We’ll give the shop the ability to say, ‘Look, I’m only going to send this trading partner the first 11 of the VIN.’ Or, ‘I’m not going to send the VIN at all.’ Or, ‘If it’s an automotive dealer, I’m just going to send the last eight.’
“If there are trading partner software applications that require all 17 characters of the VIN, those will be accounted for. The salient point is to only send the trading partner what is required to complete the transaction successfully, that is, an aftermarket parts provider will receive the vehicle descriptions and the parts replacement lines of the estimate – nothing else.”
Datatouch is working on a couple of other projects that will provide shops “value back in the future” and could launch as soon as mid-2023.
Bloch’s firm, along with the law firm of Duane Morris, is offering legal help to collision repair shops in adhering to the laws on the books. The process would start with a conversation between the shop and the firms about how the shop shares consumer information and data with their vendors and others they work with, Bloch said.
“We would also review and analyze the license agreements and similar documentation that they’ve entered into with all the entities in the supply chain with which they share repair data and consumer information so that we’ve got a full picture of the landscape and how the information flow is structured,” he said. “Then what we would do is recommend standard operating procedures and compliance with any state-specific or federal laws relating to the repair data and the consumer information or personal information. And then ultimately, provide the collision repair shop with some documentation that they can present to the consumer, which provides the appropriate disclosures and then obtain the consent and acknowledgment of their customers.”
Shops interested in the legal services provided by Silver, Golub & Teitell and Duane Morris law firms can give Bloch a call at 203-325-4491.
Featured image credit: JuSun/iStock
Headshots provided by Bloch and Tagliapietra