Hard Lessons in Software: Protecting the Shop and Safeguarding Personal Data
by Sean Preston, Coverall Law
So many of the tools used today in our shops are, or involve, software. And every piece of software has a EULA.
End User License Agreements (“EULAs,” pronounced: yoo-luh) are a way of life for each and every one of us: individuals and businesses alike.
I knew this was a timely topic as soon as our Executive Director, Lucky Papageorg, messaged me from the Collision Industry Conference in Indianapolis. Lucky asked whether I was knowledgeable about EULAs, and it just so happened that I had very recently completed a EULA review for a Coverall Law client in Massachusetts.
EULAs are legal agreements that give you access to an application or software. You have to sign them (or check a box) before you can use the application or software owned by the service provider. My most recent client-example was an online portal, created by an auto manufacturer, for vehicle maintenance and repair information. These OEM tools are absolute necessities for shops these days.
EULAs are going to dictate who gets to use the resource and information, how it’s used, how much you pay, when the use stops, what happens when using their information results in an accident, what they get in return and so on.
EULAs come with a number of complex and interweaving issues, but I can leave you with two things: your first consideration in a EULA and the developing privacy issue which was spoken about at the recent conference in Indianapolis.
The first question I always want to ask when looking at any agreement is: “Who are the parties to the agreement?” EULAs are no exception.
If a shop owner, manager or associate enters a EULA as an individual, that is the individual who now gets access. So, typically, the shop wants to make sure that the entity (the shop’s LLC or corporation) is the proper party to the EULA.
Standard language among EULAs will give access to employees, independent contractors, agents, etc. of a legal entity (LLC or Corp.), but you don’t get that if the license is only for a single individual. But there are other reasons you want the EULA going through your company, and not yourself.
Standard in EULAs is an indemnity clause. If anything goes wrong relating (in any way) to the use of their software, you agree to defend them in court and hold them harmless. So, if an OEM tool suggests a certain repair, which then leads to a future accident, the EULA says that they are harmless, and you are on your own.
Again, it’s standard language, and it’s the reason we have: (1) common sense ─ if something in the tool doesn’t seem right, question it; (2) limited liability entities ─ your shop should be operated through an entity designed to keep the liability inside that entity; and (3) insurance ─ the entity must be properly insured, or else you lose limited liability and ownership now bears the burden personally.
The party to the agreement is important. And having that entity created and maintained the right way is just as important as properly insuring against all risks. EULAs are designed by the software owner (an OEM, in our example.) So, EULAs are going to be written in a way that benefits the other party in the greatest way possible. In order to use the tool, they are going to require the shop to sign the EULA.
The recent panel in Indianapolis had a different focus, as I understand. Several states have passed data privacy laws ─ which means shops must take steps to protect the personal information of their customers. I called this a developing issue above, because in Europe, this body of law has been established for several years.
Violation of a data privacy law is particularly painful for two reasons. First, a violating shop is held strictly liable, meaning that you are in trouble even when you haven’t done anything “wrong.” The second painful piece is that your liability for the breach goes beyond the initial breach and continues on to later unauthorized uses of that personal information. So, a data breach could haunt a shop for years.
Under Massachusetts privacy regulations, every shop “must develop, implement and maintain a [written] comprehensive information security program.” That program must have “administrative, technical and physical safeguards” relative to the need, amount of data stored and your shop’s size and resources.
The law is still developing in the US. There are consultants you can hire to look over your practices and perhaps to write up a program for you. This privacy issue will only get more important with time. So, everyone needs to adopt best practices: locking file cabinets, personal passwords, firewalls and secure servers.
And the data which we have in our systems is sometimes interchanged with other software controlled by EULAs. Now, more than ever, shops have to consider how they safeguard customer and employee data and which other programs are getting what data and for what purposes.
I have been part of teams that have done the analysis necessary to overturn each stone and map to determine which personal data is going where. It is a long and cumbersome process that is commonplace in Europe. For the time being, shops in Massachusetts should adopt common sense approaches to data security and include a disclosure about personal data usage in their customer intake forms. Get customer authorization for the reasonable use of that data in the course of completing the repair.
But while data privacy law will continue to grow and develop for years to come, there is an area of law which is much more settled. Make sure that your liability is safely secured in an entity which limits the personal liability of employees and owners. That entity needs to be the party signing EULAs, creating agreements with the vehicle owners and securing the personal data stored by your shop.
One great way to stay in the know on this and many other issues facing you and your shop is to be a member of AASP/MA. As more issues arise, AASP/MA and Coverall Law will work together to keep the ALLiance members informed and protected. See page 7 for membership application.
Want more? Check out the September 2023 issue of New England Automotive Report!