Scrubbing Customers’ Cars Clean of Digital Debris
Key Highlights
- Vehicles contain invisible personal data like addresses, codes, and passwords that can pose security risks if not properly managed.
- Shop owners must understand their legal liabilities and ensure they can effectively clear PII from vehicles before disposal or repair completion.
- Collaborating with insurance, IT professionals, and legal experts is essential to develop comprehensive risk management and compliance strategies.
- Legislation around PII in vehicle repairs is evolving, and shops need to stay informed to avoid legal pitfalls and protect customer trust.
- Proper documentation, clear communication, and understanding of state laws are critical in managing customer data responsibly.
Just because you can’t see something doesn’t mean it isn’t there. Alongside sensitive physical papers and belongings, wrecked and totaled vehicles are regularly filled with an invisible personal asset:. aA digital trail that’s both highly personal and valuable —things like home addresses, garage door codes, and other information stored in the vehicle’s computer.
Here’s how to safely handle your customers’ personally identifiable information, as it's known, in a highly digitized era.
The backstory
Each time a vehicle is towed into a shop for assessment or repair, it’s like a customer’s cell phone and banking information came along, too. And this puts a collision repair shop at risk right along with the customer, who probably isn’t aware of how much sensitive information they’ve left out in the open.
It’s digital debris and practically diamond dust — invisible credit card numbers, passwords, and key codes stored digitally. And even though it is the customer’s valuable PII they have left behind, it may be your legal responsibility to contain it and keep it safe, according to laws of the state in which you operate.
David Willett, co-founder and chief underwriting officer of Kansas City, Missouri-based Spark Underwriters, an I-CAR-trained insurance company specializing in products for the automotive specialty market, has cyber-risk wisdom that can help keep shops safe.
Marrying insurance with risk management is the full answer.
The challenge
Many shop owners — and probably the majority of state legislatures — are only beginning to grapple with cyber risk in the collision repair industry.
“Insurance isn’t the full answer,” Willett says of the process of protecting your shop from liability. “Marrying insurance with risk management is the full answer.”
He continues, “From a PII standpoint, when you’re working with customers’ autos you must know your liability. If you tell somebody that you’re going to clean their car of any trace of PII, then guess what? You’ve taken on the duty to do so.”
This is where collision repair business owners need to know their state statutes. Be advised, as well: even when the law in a particular state seems settled and the statute appears to be clear on the issue of PII and shop liability, there can still be murky areas, Willett says.
Increasingly in the collision repair industry, there is ongoing conversation about whether shops will be required to declare that PII will be safely cleared from customer vehicles in the first place. “But at this point in time, the legislation hasn’t always caught up with what’s going on,” Willet says.
Another challenge for a shop owner is making sure they can actually do what they say they will do regarding a customer’s PII. “Once again, if your statement is that you will [clear a vehicle of this personal information], there’s the challenge of getting in and making sure that you’re actually able to clear it and get rid of it all,” Willett stresses.
“It’s a challenge that can vary by make and model of car, as well,” he adds. “You have to realize what you’re working on and what you’re working with. The internet can track and capture a lot of information and keep it in the cloud forever. And it may be in a place you can’t even get to.”
The solution
Knowledge is power, and it is also safety for a collision repair shop owner.
“Initially, you could say you were providing the service, with some degree of keeping the customer’s data safe,” Willett says. “And a person would have to be really sophisticated to know if you actually did.”
Now that various state laws have come into play, though, the issue of PII has become more convoluted.
To find out what is required to do the job correctly and legally today, Willett says shop owners should talk to both their insurance company and a cyber risk expert, which will probably be their IT professional.
At Spark Underwriters, Willett and his team can provide an evaluation of risk by looking over contracts and determining whether they are increasing or decreasing a shop’s risk. But as he stresses, “We’re able to measure risk [only], and that’s what we’re licensed and contracted to do.”
To assess actual risk at your business and address it, however, an IT professional must be part of the process. Lawyers too, are part of the equation.
As Willet notes, “Make sure your lawyer joins the conversation and that you have a good understanding with them, because it’s important how you write your contracts, for example.”
Repair orders, too, must clearly state how PII will be handled by your shop.
“We’re pushing for our customers to be aware of this and to make sure they understand the language in the RO. Otherwise, it could be a gray area where your customers assume you’re [scrubbing their data clean from a wrecked vehicle], simply because you’re full-service.”
The aftermath
Right now, there are more questions than answers in the industry about how to deal with PII left behind in damaged vehicles.
“We’re working with our shop owner customers on what they’re communicating to their customers and on recognizing what’s their responsibility — and where they are legally liable,” Willett reiterates.
Oftentimes, collision repair shops are operating in a total loss environment, as well. So, a car won’t be put back together in some form or fashion, it will be handed off for salvage disposal.
“I’ve heard a lot of discussion about how people are going to clean the data left behind in those cars,” Willett says. “Is a shop owner somehow going to wipe it clean or wipe the information out of the system?”
He adds, “My concern is to make sure you can. Make sure you actually know you can do that.”
The takeaway
Just because a vehicle’s crunched, it doesn’t mean the intelligence of its software system and the hardware connecting it isn’t still fully functional.
“It can still be connected, viable, and transmitting,” as Willett puts it. “We used to hope we could trust a computer shop when we took our computer somewhere to be worked on, and now our cars are roaming computers, right?”
Since cars are computers today, that means a shop owner’s responsibilities — and liabilities — have exponentially increased. When customers bring in their vehicles for evaluation and collision repair, they now need reassurance on two counts. The first is, they need to be confident you’ll do the collision repair job. And the second is, they need to be sure you’re not leaving their PII unprotected.
About the Author
Carol Badaracco Padgett
Carol Badaracco Padgett is an Atlanta-based writer and FenderBender freelance contributor who covers the automotive industry, film and television, architectural design, and other topics for media outlets nationwide. A FOLIO: Eddie Award-winning editor, writer, and copywriter, she is a graduate of the University of Missouri School of Journalism and holds a Master of Arts in communication from Mizzou’s College of Arts & Science.