COVER STORY
PROTECT YOUR GOLD:
DATA PRIVACY CONCERNS AND SOLUTIONS Social security numbers. Driver’s license numbers. Vehicle identification numbers. Personally identifiable information (PII) is “any information that permits the identity of an individual to be directly or indirectly inferred,” per the U.S. Department of Homeland Security’s website. In today’s digital economy, PII is incredibly valuable – its position as such a prize has led to data being dubbed “the new gold.” This claim rings particularly true in the automotive industry where modern vehicles know more about their drivers than the vehicle owner knows about their car. But what happens to all this data when the vehicle is in the shop for service or repairs? Many benefits come from the ever-increasing technology turning our transportation into supercomputers on wheels, such as improvements in safety and convenience factors, but those same systems that improve the driving experience also pose potential privacy hazards by collecting – and potentially sharing – vehicle data. What a scary thought! What’s even more frightening? Shops commonly find that this data has been accessed without their knowledge or consent. Data pumps constantly monitor the estimate management standard (EMS) export routine, so once the data file is exported, those data pumps create and transmit copies of that exported data. Even once a shop stops using a specific resource, the data pump will continue to send information to that provider indefinitely until it is uninstalled…often without the shop realizing what’s happening. So, who does collect that data, and why? “Numerous entities collect data in the collision and auto claims industry, and in some cases, the data is collected as part of processing a collision repair or auto claim,” Jack Rozint (Mitchell International) stated. “Some uses of data are for very specific purposes, and parts providers, rental companies, and information providers are examples of entities that collect data as part of the business services they provide. For example, car rental companies often collect data
14 | August 2022
from the estimate [related to] labor hours which helps them predict the length of the rental and allows for better management of the rental cycle for their insurance partners. “Others, such as the vehicle history companies and data aggregators, specialize in data aggregation around the entire auto ownership lifecycle and will purchase data from entities within the collision and claims industry as well as from government agencies, tow companies and auto mechanical repair shops,” Rozint added. “These are just a few examples – and in fact, the data from a single estimate may wind up in dozens of databases. While the amount paid for one data transaction is small, the number of transactions can be very large, resulting in millions of dollars in data value per year.” But how are these entities obtaining that valuable data? “Estimate information – including personal identifiable information (PII) and repair data – is being shared with a vast number of industry trading partners a shop does business with,” explained Pete Tagliapietra (DATATOUCH, LLC). “A trading partner installs a software control, commonly referred to as a data pump, to monitor the estimate directories, and as it monitors those directories, it automatically grabs that EMS export to provide access for that trading partner to use that information to meet the needs of the collision repair shop. But it also grants them access to a voluminous amount of information in many situations. “Imagine a number of tentacles reaching out to access this information in an uncontrolled way,” he continued. “They want certain information, but they’re not only receiving that manufacturer’s information; they’re getting all of the estimate information, allowing them to aggregate and repurpose it. Not everyone is doing this, but several companies are collecting data for various financial reasons. And shops have little to no control.” A large part of the problem lies with the EMS export itself. Intended for internal use only, no security functions were built into the export. Yet, within the
AASP-MN News
