As the automotive repair and service business becomes more heavily reliant on data and electronic communication, protecting customer information has become a more important concern in the industry. The Automotive Service Association (ASA) recently cautioned members that third-party vendors may be reselling customer data to other organizations, and has created a new Data Security Policy Agreement/Addendum for repairers who want to both protect that data and shield themselves from potential liability.
“The protection of personal information and proprietary technical data is a priority for consumers, regulators, legislators and class-action attorneys throughout the United States and abroad,” says attorney Patrick J. McGuire of Patrick J. McGuire Law Offices, Mt. Prospect, Ill. “As an industry, everyone should be doing everything within their power to prohibit the unapproved/unsolicited sharing of estimates and repair data that goes beyond the scope of what is necessary during the normal course of doing business.”
The new data security policy document states that all information (data) provided to outside vendors is “owned exclusively by the shop and provided for the sole purpose of conducting business.” It does not grant the authority to share the data, sell it, or repackage it without the express written consent of the shop.
The development of the policy was prompted both by the recent national focus on the security of vehicle and owner data (particularly for connected vehicles), and by a recent incident involving an ASA board member. In that case, estimate data made its way to CARFAX within 48 hours of an estimate being created. The customer was angry with the shop because the updated CARFAX report reduced the value of his vehicle (which he was about to trade in).
The New Way to Affect Change In Your Shop
|
Give us one minute of your time, and you'll learn three key ways shopping for parts online can change processes in your business. |
|
The shop was not aware the data had been shared, so the ASA helped the shop follow up with CARFAX about the source of the data. CARFAX indicated that it gathered information from more than 34,000 sources. Without specifying the source of the information, CARFAX also stated that they did not get information from CCC Information Services, the estimating system used by the shop.
“We thought there ought to be a policy in place within a shop that clearly states to vendors that if you don’t already have a transparent data privacy policy telling me how you are using the data, then maybe I ought to have a form for you to sign,” says Tony Molla, vice president of the Automotive Service Association.
“Shops need to take control of their data,” adds Scott Benavidez, ASA’s Collision Division Operations Committee director. “Situations like this aren’t unique, and the potential for class-action lawsuits should cause everyone to lock down their data. Nobody should be profiting from the data we are generating on behalf of our customers.”
According to Molla, it’s still unclear what types of liability issues the sale of customer data could generate. If the data is hacked or stolen, the shop could be liable for any damages to consumers (like identify theft or vehicle theft). If the data is sold to a third party without permission, customers could potentially come back and sue the shop.
“These are the types of things we’re thinking about,” Molla says. “It can expose the shop if they haven’t taken the steps or reasonable precautions to protect data and customer information that they collect in the course of a repair.”
Shops that aren’t sure about how their vendors are using customer data should take the first step and ask about data sharing and selling policies. “Most vendors that collect data generally have a privacy policy in place,” Molla says. “They will tell you that they do not share data at all, or that they do share it, but in aggregated form so it can’t be used to identify a particular customer. But ask the vendor; getting an answer to that question is a step in the right direction.”
As more vehicles become connected, as more drivers connect their smartphones to their vehicles, and as OEMs and repairers wrangle over vehicle data pertaining to repairs, these data privacy issues will be even more important. An increasing number of companies also want to buy that vehicle data. McKinsey estimates that the market for automotive data could reach $750 billion by 2030.
“The reality is that data is being collected right now that you might not even be aware of,” Molla says. “The ASA is partnering with other associations to define exactly wat is being collected, what is being used, and who has access to it.”
In addition, repair shops should take other security precautions like ensuring that their Wi-Fi connections and network firewalls are properly secured. “Is your office or business network as robust as it should be?” Molla says. “If you don’t know, you should be asking. It’s time t take a look at all of your enterprise functions and see if there are security holes you have not anticipated, that may have been introduced by the advancement of technology.”
For shops that want to utilize the new agreement with their own vendors or other partners, it can be downloaded here.
