Collision industry professionals have been concerned about the privacy and security of business and customer data with the rise of Web-based technology solutions like cloud computing. Cloud computing certainly has huge advantages, but shop owners today are concerned about who has access to their information.
FenderBender’s Andrew Johnson sat down with Greg Horn, vice president of industry relations for Mitchell International, to discuss concerns shops have over data privacy.
New technology shifts have made it easier to collect and centrally store data generated by repair businesses. That’s also increased the ease by which data can be shared and used in ways that may not have been intended by repairers. What exactly are repairers concerned about when it comes to storage of their business information?
The increase of cloud-based computing is the biggest concern for shop owners today. As the industry as a whole moves more toward Web-hosted solutions, people want to make sure their security is top-notch since so much of their data is stored out on the Web.
Certainly some of the information shops store on the Web these days includes private customer information. What policies are in place to prevent third-party dissemination of that information?
Consumers would understandably be upset about their private information being shared—like phone numbers and home addresses. Because vehicle owners have direct dealings with the body shop, many of them would logically believe shops are responsible for this data sharing.
The Gramm-Leach-Bliley Privacy Act prohibits businesses from sharing certain private information of vehicle owners when such data is related to or combined with financial account data. I don’t know of any third-party organizations that are currently sharing this type of private data. The only exception to this is when the business has a defined privacy policy which allows for such disclosures.
There must be more to this than just a concern over the security of customer information. Shop owners have to be concerned about people outside their facility walls accessing certain business metrics, too.
Insurers are after data that helps benchmark performance. I’ve spoken with auto body associations that have mentioned that shops don’t want insurance companies to see their margins or profitability, for example.
How common is it for insurers to get their hands on those types of metrics?
I have led Mitchell’s data analytics group for the past few years and can tell you that I have never had an insurer request that type of information. Although that’s an industry concern right now, I don’t know of any insurers that are actually interested in obtaining that information because it would not affect any key metrics that insurers use to evaluate shops in their Direct Repair Programs.
The insurers I’ve spoken with want to understand how shops perform in cycle time, customer satisfaction and aggregated repair statistics in order to run their business successfully. They’re not after shop profitability.
Estimating companies clearly have access to those business metrics that shop operators want to be kept private. You say insurers don’t ask for that information, but it’s a legitimate concern to think estimating companies might be providing it to them anyway.
Mitchell understands that concern on behalf of shop owners completely. We pledge to guard all the business data that shops supply to Mitchell. We do not share individual shop data.
In Mitchell’s case, shop contracts specifically spell out what information they are willing to share. The only exception is when shop owners specifically mention they want to share certain data elements with a particular business partner. But we have to obtain express written consent from shop owners in order to do that.
But Mitchell does publish its quarterly Industry Trends Report, which reveals particular elements of collision repair industry performance metrics. Isn’t that a good example of how Mitchell is sharing shop data?
For shops that have certain agreements with business partners, their contracts are written in ways so those business partners lawfully have access to particular shop data. We do reserve the ability to share aggregated data, which is written in every shop’s contractual agreement. We aggregate data for reports because there is value in that both for the shop and the insurance community.
We provide aggregated performance data for specific areas of the country to compare against the entire industry. For example, we will pick the Southeast region of the country and aggregate data from three or four states to help shops benchmark their performance. Since the information is all aggregated data, you would never be able to pick out one single shop.
If shops are upset about the average labor rate data being shared, it’s important for them to know that this data is not private and could easily be obtained by anyone. In the past, insurers merely called each shop in an area to obtain the average labor rate.
Because data sharing like this is aggregated and anonymous, shops do not need to be concerned. They can choose not to do business with a carrier in an automated format to stop this sharing, but that would not benefit either partner and would likely eliminate them from being on a Direct Repair Program.
Claims that other third parties are capturing information must be true since some organizations somehow acquire vehicle history reports.
That’s true. Vehicle information data does go to the National Insurance Crime Bureau, which then can be obtained by companies like CARFAX that report on vehicle history. Dissemination of that kind of information and in that manner is not a violation of the Gramm-Leach-Bliley Privacy Act. In fact, it is likely written in a shop’s contractual agreement with DRP partners or their estimating provider.
Some shops are saying they were unaware that CARFAX is able to acquire information that started out in the shop’s system.
Data showing up on a CARFAX report, for example, does not disclose vehicle owner contact information. CARFAX data shows registration data, service information such as oil changes, safety inspections and accident information as it relates to the history of that vehicle. But it does not disclose names or contact information of the vehicle’s current or prior owners. And most states require disclosure of previous accidents when the vehicle is traded in. Some states, like Iowa, even brand the vehicle title as having exceeded a certain dollar amount.
I’ve heard one example from a consumer who went to turn in their vehicle, and did not disclose to the dealer that the car had been in an accident. When the CARFAX was run, they found out the car had been in an accident. The consumer dishonestly wanted to keep that accident and repair a secret. If you look at your contract when you turn in a vehicle, you agree to disclose any damage. That was not the most forthcoming consumer.
Quite frankly, I don’t know why shops are concerned about CARFAX acquiring repair information. If you’re proud of your repair work, and you see from a CARFAX report that this car had been repaired and it looks good, that can be a great advertisement for the shop.
If there’s so much concern over the potential security problems caused by cloud-based computing, why are so many shops opting to go that route?
In today’s world—with Web-based solutions and cloud computing—it’s easier to have multiple machines running in multiple locations without needing a constant IT upgrade and trouble shooting. If there’s a system upgrade available, it’s instantly done on the Web.
That’s a good thing because in the past, every time there was a new product upgrade, we would have to mail out a patch or new product disk and make sure that shops ran the updates at the same time. There could be a conflict if some shops were running an older version and they were tied into shops running the newer version. Shops would also have to make sure that their server and computer had the ability to accept and run that program at maximum efficiency.
In today’s world, there aren’t any worries about problems and system requirements as long as you can simply access the Internet. That’s why customers are voting by recorded option to adopt Web-based products for their repair centers.
If shops had overwhelming concerns and were not given assurances of privacy regarding their data, they wouldn’t be buying the products. When shops completely evaluate the advantages and safeguards being taken, they will enthusiastically make the move to Web-based products.
What suggestions do you have for shop owners to help resolve their concerns that revolve around privacy of their business data?
First of all, shops need to fully understand what is and what isn’t being shared, what’s legal, and where an information violation may happen or could happen. Second, they need to understand that in today’s world cloud computing is potentially safer for resisting hacking than is a standard server-based communication infrastructure that some shops still use.
If they have a concern about what information is and is not being shared, it behooves shops to review their contracts and start to have conversations with their business partners at all levels to understand what’s going on.
Shops should not fear having a conversation with an insurer over their concerns with data privacy. If a shop has a concern over a potential violation of the Gramm-Leach-Bliley Privacy Act, they should discuss their concerns with the insurer and request the insurance company’s legal staff review the concern.
What other assurances do you have for shops over their privacy concerns?
We’re going to see more and more solutions that will be cloud or Internet hosted moving forward.
Along with that comes development of better and better encryption and safeguarding of information. The security and encryption is constantly being updated.
With proper security in place, the migration to cloud computing does not really change the ability of third party entities to obtain data.
Proper security and encryption must also limit concerns of shop systems getting hacked into by people outside of the organization.
Right now we have about 30,000 shops throughout the United States, which means there are potentially 30,000 ways to hack in to individual shop data. The risk of that happening is reduced as we go to a centralized cloud with good encryption and security passwords.
The information is no more susceptible to hackers than any other encrypted Internet transaction that happens today. In fact, cloud computing in its present form is probably more secure than the existing infrastructure.
The whole data privacy issue seems to be more based on fear of information potentially being provided to third parties, and not based on the fact that it’s actually happening.
Shops should be reassured once they fully investigate what aggregated data is being shared, and what steps are being taken to provide security and adherence to the Gramm-Leach-Bliley Privacy Act.
