The Society of Collision Repair Specialists (SCRS) reports similar stories with data that repairers expected to remain private or protected leaking into the hands of a third party, says Aaron Schulenberg, SCRS executive director.
Such is the state of data management in the collision repair industry. Repairers punch critical information into familiar programs or new services in which they've invested significant dollars, and suddenly, their data is someone else's data. In a business environment where information is money, repairers have good reason to raise questions, or better still, alarms, about data privacy and security.
Add the emergence of cloud computing technology, where critical information is transmitted through the Internet (to which more than 2 billion users have access), and repairers could have greater concerns on their hands. Cloud computing is adding a new twist to the long-standing debate among repairers, information providers and insurers about data ownership and use. Repairers must ask themselves who's looking at their data and is there anything they can do about it?
Cloud computing takes local computer programs – whether they are estimating or management systems or other business programs – and makes them remote via the Internet. Instead of a program residing on a PC, it exists on another computer (usually large, powerful server computers) under the domain of the service provider. When you use the program, you are running it from that computer. An example is Internet–based e-mail through Google or Yahoo. You view your e-mail on your computer, but it exists elsewhere – allowing you access from any Internet-connected computer.
That's one of the benefits of cloud computing. Typically, you can access your programs from any computer as long as it has Web access. Because complex programs rest on a remote computer, they don't need to take up valuable space and processing power on a local computer. Perhaps more importantly, product upgrades and fixes are done at the source (those remote computers), so shops don't need to worry about upgrading their own computers.
Additionally, all the data shops enter into these programs can be backed up and saved by the service provider. Should a shop suffer a catastrophic computer systems failure or be damaged by a fire or flood, the data on it can be retrieved from a safe location elsewhere.
That elsewhere, and how it gets there, is the worrisome aspect of cloud computing. Shops extend tremendous trust that their data is protected both as it travels to a provider and once it arrives. Regardless of the safeguards a service provider may institute, more people than ever have some access to a shop's information. That includes the people working for service providers and a shop's own employees, who have off-hour access to information and who might access it from remote computers with poor security, such as programs that save IDs and passwords.
Industry members say employees may pose the greatest risk to shop data.
Curtis Nixon, owner of FIX Auto – "L" Monty Body Shop in South El Monte, Calif., and vice chair of the CIC Data Privacy Task Force Committee, believes shops have far more to fear from security violations close to home than on the Internet or at the service provider's locale. Former employees with access to a cloud computing service are a more likely and much greater risk than a stranger.
"You need to watch your passwords," Nixon says. "When someone leaves, shops need to restrict access."
Data ownership debate
Nixon is probably in the minority of repairers when it comes to determining the dangers of cloud computing. For many, the ability of information providers and others to have immediate access to shop data and share it with insurers or third parties is the real threat. They see this constant and steady transfer of shop data as a loss of repairer control over their businesses."We need to talk about who owns this data," Passwater says. "It seems that shops have no right to their information. Once they enter the information, it belongs to someone else who can do whatever they want with it. The shops have no say."
"It wouldn't make any sense for us to give out this kind of information," Horn says. "No one would have customers very long if you did business this way."
According to CCC Information Service's published policy, its reporting guidelines are strict:
"Regardless of whether a repair facility consents, certain types of data related to business cost and profitability won't be shared with third parties that are consumers of repair facility services, including, but not limited to, insurance carriers, third-party administrators and fleet operators. These types of data consist of:
- projected or actual gross margin of repair;
- labor cost including employee wages, hours assigned, actual hours worked and projected or actual labor gross margin;
- actual material cost including paint/shop material units, paint/shop material cost and paint/shop material gross margin;
- repair facility internal notes;
- repair facility internal events (file history); and
- images and attachments that are tagged for internal use only."
A complex situation
For Passwater and others, such assurances offer little consolation. Some agreements shops sign with information providers specifically allow the providers to modify shop data they collect, Passwater says. Others note the data collected, which insurers use to set labor rates and repair guidelines, is slanted because of how it's collected.For example, they note labor hours are a reflection of those rates agreed to with DRPs and not representative of the market at large. They also point to repairs that aren't reimbursed by some DRP agreements and say insurers use this data to create a picture of an industry where these repairs aren't the norm and shouldn't be reimbursed in other cases.
Horn said the data is an accurate reflection of an industry average "based on uploaded estimates from Mitchell customers, which includes staff, direct repair estimates and estimates written by independent appraisers."
The data reported, along with whose hands it ends up in, is being impacted by cloud computing because of a format in which the data is shared via the Internet.
Currently, the standard format for transmitting shop data is EMS (estimating management system), which is a longstanding DOS-based format that sends all repair information when any information is exchanged between a shop through its estimating and management systems to insurers, parts vendors, etc. This means parties such as rental car companies receive repair info they don't need and which they can forward to others.
The solution is for information providers and others in the industry to move from an EMS to a business message specification (BMS) format because it would allow shops to monitor and control the security of the data they shared better, says Fred Iantorno, executive director for the Collision Industry Electronic Commerce Association (CIECA). BMS, a modern format written in XML (extensible markup language), is a more secure medium to exchange information and allows shops to send the data that's needed, not the entire repair file.
"This way you aren't sending all your information to people who don't need it," he says.
BMS has been available since 2004, but information providers have been rather slow to adopt it, Iantorno says.
But BMS appears to be on its way. Jim Dickens, a senior vice president at CCC, says the company is incorporating BMS in its products. Implementation might seem slow because a number of the parties who use shop data are still set up to use EMS. Dickens cautions repairers who might believe they can simply pick and choose what information to send and to whom. He notes parts information, for example, still must be shared with parts manufacturers and others by law. Furthermore, the amount of data available is immense. Data per repair is parsed out in 128 different folders, Dickens says.
The move to BMS will be gradual, but it seems to promise more control to shops. Still, some repairers worry this data will end up being used against them."The bottom line is we just can't seem to win," says Ed Gillenherd, an estimator at C&L Auto Solutions in Chicago. "I don't want to put information out there if I don't have to. I'd like to be able to choose what I can send and when. We seem to run into just as much trouble when we limit data as we do when we send out too much."
No way out?
Considering the complications cloud computing and estimating/management technology can mean for conducting business in the collision industry, it's a wonder there aren't more calls to move away from them. Some industry members have suggested shops go back to writing their own estimates. That may not be realistic in light of the incredible influence DRPs and insurers have on the industry.There's a market for tools that keep shop data in firm control of repairers if someone wanted to build and market them, Passwater says. Until then, shops will continue looking for guidance on the best ways to deal with technology issues. When it comes to cloud computing, Horn, Nixon and Dickens say shops need to educate themselves and pay strict attention to any contract they sign with service providers that use cloud computing.
"Ask questions – it's only prudent for shops to know what they're getting into," Dickens says.
Some repairers still fear that what they find, they won't like. Dean Twiller, owner of World Collision in Nashville, sums it up this way: "Internet technology is a good thing. You have to make the most of the tools out there, even if there's some trade off in terms of what you're giving up, such as others knowing too much about your business. That's just how business works.
"Too much of our business is slipping away from us," Twiller says. "I have to fight a regular pitched battle with a dozen insurers who want to tell me how to work. Now, I have to watch my business being broken down in billions of bits of information and sent out on the Web where I have to worry about God knows who seeing it. If I thought about it more, I'd probably be a lot more worried. I just don't have the time to deal with this like I want."
Assessing cloud computing services
Considering how much data you could be dropping into a cloud computing system (for estimating , IT services, etc.), and the still-nebulous nature of these systems, protecting your data can feel like plugging leaks in a sinking boat.
But there's quite a bit you can do to protect your private data. Refer to these tips supplied by SmallBusinessComputing.com when considering what cloud computing services you want to do business with.
One of the biggest cloud security risks is theft or loss of private data. If the leaked information is proprietary only to your company, liability isn't a concern. But you need to know where responsibility lies if customer information goes missing.
"If there's a breach and data is lost, it's not the cloud provider who is on the hook," says James Quin, lead analyst at Info-Tech Research Group. "It's the way all the regulatory bodies are coming down on this. You collected the data and chose how to store it. So you're on the hook if something goes wrong."
In other words, let the buyer beware.
Tip 2: Research the processes of potential vendors
To determine how a cloud computing service works, you'll have to talk to the provider. Be prepared to ask a lot of questions. You'll need to know what levels and types of encryption a provider can offer to ensure that even if data is leaked it can't be read. Encryption is the key protection against security breaches.
Learn about a provider's business continuity provisions. Ask: What happens if its main data center burns down? Does it have more than one data center? How many places does it store your data and how? Ask about security monitoring and auditing processes, and what kind of reporting the provider does. Also, if there's a breach, are you guaranteed the company will tell you?
Shops can be daunted by the complexity and rigor needed to assess cloud security. If you have any doubts about your ability to do this work, consider hiring a consultant. The cost of a consultant can defeat the cost-saving purpose of cloud services. This is an initial cost, so it can be even more costly to make changes after you buy into a system requiring significant modifications.
Tip 3: Build security controls into your contracts
When you deal with any cloud service, the provider may not be willing to negotiate anything or extend much flexibility to smaller customers. But you still need to study the contract language as it relates to security controls.
If a provider is willing to negotiate, try to establish the type and level of encryption to be used, where and when to use it, and safeguards against data loss to be employed.
You also may be able to negotiate the right to audit the company's facilities or security practices, although the cost of doing could be out of your price range.
Tip 4: Negotiate service levels and exit strategies
Security isn't just about protecting data. It's also about ensuring business continuity – the ongoing well-being of your shop. Someday your ongoing operations could depend on being able to access a cloud service. What happens if that service is unavailable, even for a short period?
Some providers will negotiate a service level agreement (SLA) specifying uptime percentages and the time to respond to trouble calls. SLAs can include financial penalties (typically a discounting of service fees) if the provider fails to meet contract terms. The stricter the terms, though, the more you'll probably pay for the service.
Be sure you're not locked into a provider's service where it's expensive or almost impossible to take your business elsewhere if you are dissatisfied or find a better deal.
Try to pre-negotiate terms for changing contracted services in response to changes in your business. This is the best way to guard against expensive fees that can accompany contract changes.
Tip 5: Pursue available offline security measures
Perhaps the biggest risk of moving to a cloud computing service is the loss of control over your security profile. It may be possible to preserve some control by using offline backup of data stored in the cloud or maintaining the right to control encryption keys, so if a provider's system is compromised, there's no possibility of keys falling into the wrong hands.
