Following the July 21 Collision Industry Conference (CIC) roundtable on the issue of customer and shop data privacy in the collision repair industry, Repairer Driven News sought to uncover some solutions that business owners can use to keep personally identifiable information (PII) out of the wrong hands.
Two solutions come from a lawyer and industry data expert who participated in CIC’s Data Access, Privacy and Security Committee panel – Steven Bloch with Silver, Golub & Teitell and Pete Tagliapietra, Datatouch’s Managing Director .
Bloch pointed out that there are data privacy laws in every state, and that new legislation is getting stricter about the responsibilities of each part of the data supply chain to owners.
For example, two states – Virginia and Florida – have both passed legislation that will go into effect next year to better protect residents’ PII. The Virginia Consumer Data Protection Act, effective January 1, will give residents the right to know who holds their data, object to its use, correct any inaccuracies, have the data deleted, and obtain a copy of the data controllers hold on their behalf. topic. The controller is defined by law as “the natural or legal person who, alone or jointly with others, determines the purpose and means of the processing of personal data”.
The law will also oblige companies that meet certain jurisdictional thresholds to new additional obligations in terms of data collection and protection, in particular by limiting “the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which these data are processed”. , as disclosed to the consumer.
Bloch told Repairer Driven News that California is at the forefront of protecting consumer data and resolving disclosures that must be provided with Virginia, Utah, Vermont and Connecticut following suit. not with similar laws to increase protections and outline what consumers can do to prevent their PII from being shared.
A bipartisan, bicameral bill was also introduced in the U.S. House of Representatives last month to protect the collection and privacy of consumer data across nearly every industry, including automakers and car dealerships. HR 8152, the “U.S. Privacy and Data Protection Act,aims to “provide consumers with fundamental data privacy rights, create robust oversight mechanisms, and establish meaningful enforcement.”
“The overarching theme is that we are all marching toward a world in which federal and state legislation strengthens and reinforces the data obligations available to all supply chain actors and the required disclosures for consumers so that they can provide informed consent and acknowledge how the data is being used,” Bloch said. “And understand what the purpose of its use is and what they can do to prevent data sharing, if appropriate.”
Data privacy solutions
Datatouch will begin alpha testing of its software in the second week of August and is expected to be commercial by late September/early October, according to Tagliapietra.
“Datatouch is about giving the collision repair shop, or shops, complete control over their repair information,” he said. “Repair information obviously includes personal identifying information as well as their repair data.”
The Collision Industry Electronic Commerce Association (CIECA) EMS standard was published in 1994 and its purpose was to provide body shops with the ability to import estimating data into any workshop management system of bodywork through the standard, he added. However, Tagliapietra said: “This standard did not provide any type of data security. It was an open standard. Data security was not even considered or discussed at the time.
CIECA is currently working on a new set of JSON standards and open APIs (CAPIS) to complement its current Business Message Suite (BMS) standards and provide developers with a new option for building software for the collision industry. The first release of CAPIS is scheduled for October this year.
It was pointed out that BMS exports allow data to be segmented, which Tagliapietra says is a big step in the right direction. However, he said the function is not done by stores – it is sent to one of the estimating systems – CCC, Audatex or Mitchell – to be done, which means there is no no data security as the complete estimate files have already left the store systems.
Tagliapietra noted that insecure data exports lead to situations like the one Society of Collision Repair Specialists (SCRS) Executive Director Aaron Schulenburg recently discovered and shared at the CIC meeting last week in Pittsburgh. He discovered that at least one third-party company buys data from a collision industry data aggregation company to resell the information to the industry.
“We have information being disseminated throughout the industry and body repair shops have not cared about it over the years until recently when it gained a lot of momentum and visibility,” Tagliapietra said. “What we realized here at Datatouch was when we looked at the problem and the regulatory issues that were coming up – California, Virginia, etc. – where regulators were becoming aware of the issues and sensitivity of sharing personally identifiable information. We also realized how for-profit companies aggregate and compile this data and resell it. »
This includes vehicle history companies, such as Carfax and Experian, he added.
Key takeaways about what Datatouch will offer stores are protecting PII by default before software controls, also known as data pumps, ever have access to it, and auditing store IT systems to see if the pumps of data are working and delete those that are not. necessary. Auditing is the first step in the process of identifying and removing unauthorized data pumpers and would come with a one-time fee. Stores can then subscribe for a monthly fee.
“The other thing we can and will do for stores is give them full control over the content of the estimate. For example, we really need to understand who needs the VIN and this list is very short. … We’ll give the store the option to say, “Look, I’m only going to send this business partner the first 11 of the VIN. Or, ‘I’m not going to send the VIN at all.’ Or, ‘If it’s a car dealership, I’ll just send the last eight.’
“If there are trading partner software applications that require the 17 character VIN, these will be taken into account. The salient point is to send the trading partner only what is necessary to complete the transaction, i.e. a spare parts supplier will receive the vehicle descriptions and part replacement lines from the estimate – nothing else.
Datatouch is working on a few other projects that will provide stores with “return value in the future” and could launch as early as mid-2023.
Bloch’s firm, along with the law firm Duane Morris, provides legal assistance to collision repair shops in complying with applicable laws. The process would begin with a conversation between the store and the businesses about how the store shares consumer information and data with their vendors and others they work with, Bloch said.
“We would also review and analyze licensing agreements and similar documents they have in place with any supply chain entities they share repair data and consumer information with so that we have the complete picture. of the landscape and how the flow of information is structured,” he said. “Then what we would do is recommend standard operating procedures and compliance with any specific state or federal laws regarding repair data and consumer information or personal information. And then, ultimately, provide the body repair shop with documentation that they can present to the consumer, who provide the appropriate information, and then get consent and acknowledgment from their customers.
Stores interested in legal services provided by the law firms of Silver, Golub & Teitell and Duane Morris can call Bloch at 203-325-4491.
Featured Image Credit: JuSun/iStock
Headshots provided by Bloch and Tagliapietra