Where Does Your Data Go, and Who Can Access It?

by Chasidy Rae Sisk

Cars know more about their drivers than vehicle owners know about their cars these days.

Many benefits come from the ever-increasing technology turning our transportation into supercomputers on wheels, such as improvements in safety and convenience factors, but those same systems that improve the driving experience also pose potential privacy hazards by collecting – and potentially sharing – vehicle data. What a scary thought!

Data sharing concerns grow even more frightening for collision repair shop owners who often find that their data has been accessed without their knowledge or consent. Data pumps constantly monitor the estimate management standard (EMS) export routine, so once the data file is exported, those data pumps create and transmit copies of that exported data. Even once a shop stops using a specific resource, the data pump will continue to send information to that provider indefinitely until it is uninstalled…often without the shop realizing what’s happening.

“We understand nothing about what’s being collected because it’s all being done covertly,” lamented Barry Dorn (Dorn’s Body & Paint; Mechanicsville, VA). “I’d love to tell you that we have control over our facility’s data, but it’s so easy for someone from a supplier to call up and ask to install software. We have pretty tight controls, but it’s not impossible to believe someone who doesn’t know any better would allow them into a shop’s system.”

“Repair facilities feel really vulnerable to this issue,” indicated Aaron Schulenburg, executive director of the Society of Collision Repair Specialists (SCRS). “They interact electronically with countless entities throughout the course of conducting their business of repair – repair planning, parts ordering, rental updates, CSI – but in many cases, they have no way of knowing the full extent of where the data is going and whether those companies share it further.”

“I don’t feel as if we have control over our customers’ data, especially after it leaves our system,” confirmed Kris Burton (Rosslyn Auto Body; Alexandria, VA), who worries about “potentially being held liable for reporting information that ties back to us, which is inaccurate” and would like to better understand “who collects it, why they collect it and who is benefiting financially from it. Everyone wants to use our data for their financial gains, while shops are never compensated for anything above repair lines on the estimate. Do they share it? Did they receive permission? Are people made aware of it?”

So, who does collect that data, and why?

“Numerous entities collect data in the collision and auto claims industry, and in some cases, the data is collected as part of processing a collision repair or auto claim,” Jack Rozint (Mitchell International) stated. “Some uses of data are for very specific purposes, and parts providers, rental companies, and the information providers are examples of entities that collect data as part of the business services that they provide. For example, car rental companies often collect data from the estimate [related to] labor hours which helps them predict the length of the rental and allows for better management of the rental cycle for their insurance partners.

“Others, such as the vehicle history companies and data aggregators, specialize in data aggregation around the entire auto ownership lifecycle and will purchase data from entities within the collision and claims industry as well as from government agencies, tow companies and auto mechanical repair shops,” Rozint added. “These are just a few examples – and in fact, the data from a single estimate may wind up in dozens of databases. While the amount paid for one data transaction is small, the number of transactions can be very large, resulting in millions of dollars in data value per year.”

Because it’s so valuable to certain entities, data has been dubbed the “newfound gold” in many industries, including the collision and automotive fields.

“Estimate information – including personal identifiable information (PII) and repair data – is being shared with a vast number of industry trading partners a shop does business with,” explained Pete Tagliapietra (DATATOUCH, LLC). “A trading partner installs a software control, commonly referred to as a data pump, to monitor the estimate directories, and as it monitors those directories, it automatically grabs that EMS export to provide access for that trading partner to use that information to meet the needs of the collision repair shop. But it also grants them access to a voluminous amount of information in many situations.

“Imagine a number of tentacles reaching out to access this information in an uncontrolled way,” he continued. “They want certain information, but they’re not only receiving that manufacturer’s information; they’re getting all of the estimate information, allowing them to aggregate and repurpose it. Not everyone is doing this, but several companies are collecting data for various financial reasons. And shops have little to no control.”

A large part of the problem lies with the EMS export itself. Intended for internal use only, no security functions were built into the export. Yet, within the repair shop space, data pumps have become the standard way for shops to communicate with their trading partners, and unfortunately, that has led to information misappropriation, according to Tagliapietra.

As an example, he described a situation in which a shop writes an estimate and repairs a vehicle, and within a few days, information shows up in CARFAX. The shop has no clue how it got there, and the customer is angry that their information was shared.

“A couple years ago, we ran a particular vehicle through CCC and Mitchell to source OEM parts. We did not send the estimate anywhere else, but 35 days later, it showed up on CARFAX,” Dorn recalled. “Our biggest fear is that we have inadvertently shared customers’ data with entities without knowing it’s going out. If that can happen to us, how does it affect our customers?”

“How does CARFAX get their data?” Burton pondered. “Does the data come from estimating companies, parts ordering websites or insurance companies through our estimating platforms? Consumers should be given a choice about what information is shared, and the shops should be made aware and asked for permission as well.”

Hammer & Dolly reached out to CARFAX to find out where it obtains data, how data can be obtained without permission from the consumer or the shops, and how shops can protect themselves from data being inadvertently shared.

“More than 131,000 data sources across North America report information to CARFAX,” CARFAX Public Relations Director Emilie Voss responded to our query. “The details associated with a single event on a CARFAX report may have been reported to CARFAX from several sources, both public and private. CARFAX recognizes the importance of accurate information, and therefore, the Help Center on carfax.com provides an easy, quick way to send CARFAX requests for data verifications and corrections.”

Although consumers may be aware of data being shared in some cases, “more often, they are not aware of most data sharing that occurs,” Rozint acknowledged. “The consumer typically drops off the vehicle to be repaired and doesn’t think much about the numerous transactions that will occur during the repair process in which their data might be shared. Even the repairers are sometimes unaware of all the data sharing that might occur based on the work they are processing. With consumer data privacy becoming a hot topic, it is much more important for repairers to understand all of the data sharing that is occurring and for them to secure the consumer’s written permission to share data as necessary to process the repair.”

“Some of the biggest concerns from shops are when customers come back to the repairer and say, ‘I only shared this with YOU, and now it’s on my vehicle history report…and it is YOUR fault,’” Schulenburg noted. “For many of these businesses, they may have already taken every precaution they can think of.”

That’s certainly the case for Dorn.

“Although we’ve never allowed insurers to install data pumps on our systems, we used to utilize PartsTrader per one carrier’s request. Since then, we’ve tried to delete everything because we’re sticklers for not allowing pumps. We even had CCC come to the shop to conduct tests, and they couldn’t figure out how CARFAX is getting our data. About five months ago, we started having our parts department only include the last eight of the VIN to suppliers, but all of our data goes back to the data providers – literally everything!

“Everyone claims they scrub the data they receive, but how do you know?” Dorn continued. “They aggregate that data and use it for a multitude of reasons that may or may not help me. I wish we had a better idea about how the data is being collected, but it seems like there are multiple cracks in the dam. There needs to be more transparency and a way that we can control the data coming in…and more importantly, the data going out.”

Reacting to shops’ concerns about data sharing, the Collision Industry Conference (CIC) has been exploring this topic in-depth. In addition to establishing Data Protection and Sharing “Golden Rules” (available at bit.ly/CICGold), the organization’s Data Access, Privacy and Security Committee’s current focus largely revolves around this issue, “primarily in regard to repair estimate data through CIECA EMS and business message suite (BMS) files,” according to Committee Co-Chair Trent Tinsley.

Referencing a recent CIC discussion about VIN data being sent to multiple suppliers to get parts pricing and availability information while the estimate is being created, Rozint mentioned, “It appears that some of this VIN data may be shared by one information provider’s parts procurement service and then be ‘leaking’ from some suppliers on that parts system to vehicle history companies as there have been CARFAX collision repair reports on vehicles for which nothing more than a test estimate was written – the vehicle was never in a collision, parts were never ordered, and the vehicle was never repaired. In this case, you can have EMS and BMS exporting turned off and have all the data security services available on the back end turned on, but your estimate data is still being shared – possibly without your knowledge or explicit permission. For the record, Mitchell does not share VIN data in this manner when writing an estimate.”

For over 30 years, EMS has been used in hundreds of applications and services, and “it is reliable and has proven to work well for the industry,” Rozint insisted when questioned about why the industry has not yet converted to BMS. “If EMS were ended abruptly, numerous applications and services would immediately stop working and would require users to rekey data or switch applications. For many applications that use EMS, the data stays within the four walls of the business. In these internal business processes, there is low risk of data being compromised and so continued use of EMS does not present a problem.”

“Many shops conduct business with insurers, OEMs, production management systems, parts providers and other trading partners using estimate-level data,” Tinsley pointed out. Although the committee has not been focused on whether payments are being collected for this data when it’s distributed, he indicated that in the majority of cases, “estimate data is not being paid for by either the shop or their trading partner.”

“Based on my information and beliefs, CARFAX receives the vast majority of its collision repair data from industry stakeholders who gather and sell this information to vehicle history providers,” Tagliapietra dissented. “They’re being paid handsomely for data they acquired for free, but I don’t believe people are considering the consequences of how this data is being used. Consumers are typically unaware that their data has been shared until they decide to trade their car in and the dealer informs them that it was in an accident.”

Tinsley agreed that consumers are rarely aware that their data is being shared, “unless the repairer has this outlined in the repair authorization itself or in a CSR word track,” and he stressed, “It is important that shops be aware of this for many reasons. EMS is still the primary way shops are communicating estimate data to their trading partners, though many of these companies are converting EMS data into BMS formats once received. The committee believes that education for the industry is key to encourage more BMS capabilities to be available to repair shops. Our goal is ‘data control:’ putting data in the hands of the repairers to control what they share, when and with whom.”

That lack of control seems to be the aspect of data sharing that creates the most concern for many shops.

“Shops need an efficient way of sharing information with the trading partner, but they also need an effective solution that allows them to control and manage their information so they’ll know exactly what information is being sent and who receives it, plus they must be able to eliminate the customer’s and vehicle’s PII,” Tagliapietra believes. “Shops are not informed that their information is being pulled and sold to benefit their partner’s business without their knowledge or consent, and I feel shops deserve the right to decide what information they want to share and who they want to share it with.”

Industry experts considered how shops can protect their data and provided some suggestions.

Encouraging collision repairers “to have dialog with vendors and be selective about who you share or exchange data with,” Schulenburg identified CIC’s “Golden Rules” as “ a good launching off point for the conversation surrounding data access, exchange and protection; a shop might ask their vendors if they follow these practices and ask for their response in writing for their files.”

“Shops should know who they are sharing estimate data with and for what business purpose,” Tinsley suggested, identifying this as a key concern in CIC’s development of its Data Protection and Sharing “Golden Rules.” “The committee doesn’t advocate for or against any entity that a shop chooses to do business with, but we highly encourage shops to know this information.”

Rozint offered some additional advice for repairers:

“First, understand local and federal laws related to data sharing. Second, work to understand all of the data sharing that is occurring based on the applications and services being used in the business. This takes time but is critical to ensuring that your business is protected. Third, choose providers that have a written commitment to data protection and have a proven track record of both protecting data and not restricting users access to their own data. Most importantly, beware of software companies with large market share that promise to ‘protect’ your data by restricting access.

“Data is becoming the ‘gold’ in most industries with the data having value to multiple public and private entities years after the claim is settled and the repair is complete,” Rozint added. “If companies with large market share are the only ones with full access to all industry data, they can restrict competition and increase pricing while leaving repairers with no market alternatives. If any company in either your personal or professional life promises to ‘protect’ your data through a service that they control and in doing so will restrict your access to your own data, you may want to think very carefully about how much control you are relinquishing.”

While BMS offers some security because it allows for segmentation of data, EMS is “so entrenched in the industry that there’s no motivation to change,” according to Tagliapietra. “It’s up to the information providers and industry trading partners to stop supporting EMS. In the meantime, the majority of collision repair shops have no idea that there are data pumps running and collecting information for particular entities with whom they wouldn’t want to share their data. Those data pumps continue to operate ad finitum, and it’s hard to find, identify and uninstall illegitimate data pumps.

“It aggravates me that shops are giving data away – and have been for a long time,” Tagliapietra opined. “There’s currently no foolproof way to prevent it, but we are hoping to change all that.”

Recognizing the industry’s need to control its data, Tagliapietra launched DATATOUCH, LLC earlier this year. The software monitors EMS directories, identifies all the software controls copying exported EMS data and alerts the shop to any illegitimate data pumps that may be running.

“Shops have no option to inform them what data pumps are running on their computer systems and who installed them,” he emphasized. “They don’t have the ability to easily detect and remove them, and they’re unable to manage their information to avoid sharing PII, which is a huge issue. Shops must be able to control the amount of repair data that’s shared to minimize the overall exposure of that data being repurposed.”

DATATOUCH’s software is designed to locate illegal data pumps running in a shop’s environment, and if found, they can also license software to help them remove those data pumps. Additionally, shops will have the ability to configure each legitimate data pump to eliminate transferring PII. DATATOUCH expects to make its software available to the industry in the third quarter of 2022.

Tagliapietra reiterated the benefits of converting to BMS but noted, “Until that happens, DATATOUCH wants to provide the collision repair industry with the software tools to eliminate the unwitting data sharing that currently occurs and which has been happening for over 20 years. We haven’t seen any other options out there for shops, so we’re basically on the basement floor with this issue – and that means there’s nowhere to go but up.”


Want more? Check out the July 2022 issue of Hammer & Dolly!