4 minute read
of Data Sharing in Collision Repair ��������������
CIECA on May 24 hosted its latest CIECAST webinar, “Data Sharing in the Collision Industry and Its Unintended Consequences.”
The roughly 40-minute broadcast, featuring Pete Tagliapietra, managing director of DataTouch, LLC, can be viewed at any time at https://www. youtube.com/watch?v=x6M14qGIo5c
Tagliapietra, who also founded NuGen IT before it was acquired by OEConnection, discussed the lack of security and control around the now-ubiquitous Estimate Management Standard (EMS) export, and the importance of giving collision repair facilities and customers the ability to control personal information sharing in the future.
CIECA first released the EMS Standard in April 1994, designed to allow shops to import estimate data into their management system of choice— CCC, Mitchell or Audatex.
“It was designed for internal shop use only,” Tagliapietra said. “It was never intended to be secure or used externally for ecommerce purposes.”
But since then, several companies have recognized its value as an “excellent external ecommerce tool,” Tagliapietra said, including those offering claims processing, data mining and reporting and integration with any collision repair industry stakeholders.
“Pandora’s box was opened and the EMS Standard is entrenched in the industry,” he said. “That data today is widely used for many different purposes.”
Tagliapietra said ActiveX controls and data pumps have become prolific on shops’ computer systems—which seamlessly grab EMS export data and share it wherever the data pump directs it.
“Once a data pump is installed, it will copy all estimates indefinitely until it is uninstalled,” Tagliapietra said. “That means if a shop switches and no longer uses that partner, but doesn’t uninstall the data pump, it will keep sending [data.]
“We see that as a very key issue as to what’s going on now,” he said.
Tagliapietra said repair data is the “newfound gold” in the industry.
“That data is being used way beyond what most people recognize,” he said. “It goes way beyond vehicle reporting.”
As an example, Tagliapietra said, startup electric vehicle manufacturers are looking at repair orders of competitors’ EVs, to learn what is being
repaired and when, as well as demographic information on who is buying those EVs.
It’s a common misconception among shops that third party providers can successfully manage personal ID info and repair data, Tagliapietra said.
“There’s no surefire way to manage it successfully unless it happens right where the shop writes an estimate,” he said.
He showed a flow chart, illustrating how customers’ personal information and vehicle repair data can get from a shop to a completely unaffiliated third party. A shop creates an estimate, then uploads the data to its estimating system provider, which attaches the EMS report via an ActiveX control or data pump.
To help facilitate the repair, the EMS data goes to parts search databases, parts providers, third party claims processors and business management systems—and it can also end up in vehicle history reports and information on parts pricing, vehicle repairability and vehicle owner demographics.
This has led to a complete lack of control of the vehicle owner’s personal info, Tagliapietra said.
“It started happening in the mid to late ‘90s, so it’s nothing new, but it now has grown to the point it’s been identified by states,” he said.
California now has strict regulations on personal information security, and other states, like Virginia and Ohio, are looking into it. Tagliapietra said many more states will follow.
“Businesses can no longer ignore the potential liabilities by not protecting personal information,” he said. “It needs to be dealt with. And it will be dealt with, but it’s just going to take time to do that.”
Paul Barry, executive director of CIECA, talked about the difference between data security and information privacy.
“Data security—think of it like home security,” Barry said. “It’s really about keeping the bad guys out.”
Businesses need to manage their own data security to prevent unwanted access, he said, using routers, firewalls, VPNs, passwords and anti-virus software.
Information privacy is a business’s policies and procedures aimed at protecting that data.
“Each business should develop a program of controls to ensure info is protected and shared appropriately,” Barry said, including password, system access and information sharing policies, and training.
“Larger companies usually have this, but it doesn’t scale down well,” Barry said. “It’s something every business needs to be aware of.”
When CIECA realized EMS data was being shared broadly, Barry said, it started focusing on data segmentation—sharing only the data necessary for a particular job—which gave rise to the newer BMS standards and is figuring into developing CAPIS standards.
“If we don’t need to share a customer’s personally identifiable information, then we shouldn’t,” Barry said. “For example, a parts provider doesn’t
See Data Sharing, Page 26
KombiKing SYMACH PAINT AND DRYING BOOTHS
www.symach.com
SCAN HERE
to watch the video
