CRA Tech Security – USA

By John Huetter

The Collision Industry Conference Vehicle Data Access, Privacy & Security Committee on Thursday proposed five “Golden Rules” aimed at keeping auto body repair information from reaching unwanted sources.

Society of Collision Repair Specialists Executive Director Aaron Schulenburg, whose organization has sought to pinpoint the source of leaks to CARFAX, said during the virtual CIC Thursday that the rules could be a “best practices stated expectation of what end users can expect of their vendor partners.”

Schulenburg noted that the issue of data reaching vehicle history companies “truly negatively impacts almost every entity within this industry, with maybe the exception of the VIN reporting companies themselves.”

A crash appearing on a vehicle history report certainly poses the same risk of a dissatisfied customer to insurers and the OEMs playing a greater role in the collision process as it does to a body shop. Schulenburg said the leaks affect everyone in the collision ecosystem engaged in electronic commerce and tarnish “good work that’s being done by good companies who are trying to do the right thing” by leaving end users mistrustful of doing business digitally.

Schulenburg said his hope is that the Golden Rules foster an industry of business partners who can adopt them and say “‘my end users can hold me accountable to these Golden Rules.’” Speaking on behalf of auto body shops, he said none of the rules seemed to constitute an unreasonable expectation, and they represented something “many of the end users have been asking for for quite some time.”

First-party companies and third-party vendors might need to adopt practices along these lines anyway to do business in states with privacy statues like California Consumer Privacy Act., which applies to anyone doing more than $25 million in sales or accessing at least 50,000 Californians’ personal information.

The draft “Golden Rules” presented by Committee Co-Chairman Trent Tinsley state:

#1: Only use end-users’ data for the service(s) they intended for it to be used; never collect or use their data against them, or for business purposes other than those expressly intended and permitted.

#2: Always provide the end-user clarity, transparency, and continuing education on the data you collect, the business purposes for which it is being used.

#3: Never misappropriate end users’ data, or knowingly allow any third parties to covertly, dishonestly or unfairly access or take data generated by the end-user, for their own use.

#4: Give end-users the choice to determine what data is and isn’t shared, and the opportunity to opt-out of data collection outside of the primary intended purpose.

#5: Provide end-users with a clearly published, straightforward process to inquire about data that has been acquired from their business and the immediate chain of custody that data has encountered. (Minor formatting edits.)

Tinsley (Entegral) said the rules are designed to tie together to ensure a company is acting as a “proper steward.”

An informal poll of the CIC audience Thursday found 83 percent of an unspecified audience supportive of CIC considering adopting the rules at the November meeting. 14 percent abstained, and 3 percent said no.

Tinsley said the committee wants the industry to provide feedback ahead of the November meeting.

Rules Nos. 3 and 5 are noteworthy in that repairers, insurers and others need to be able to trust and verify parties downstream of their immediate vendors as well. As Tinsley put it when discussing Rule 5, “is there anyone else that has access to that data?”

Consider this scenario: Acme Parts Procurement Software has committed not to sell your customers’ data to vehicle history companies, telemarketers, identity thieves, etc. But in the normal course of doing business, it in good faith digitally transmits your customer’s VIN and your shop’s request for a new quarter panel to local dealerships to see if they have one in stock. One dealership deduces the vehicle probably was in a wreck and sells the VIN to a vehicle history company. See the problem?

Thus, it might be worth going a step further and verifying that your business partners demand similar Golden Rule compliance from their own downstream entities. For example, PartsTrader last month confirmed that its terms of use forbids vendors who bid on parts requests from sharing that information with history sites.

More information:

“Golden Rules” slides from Vehicle Data Access, Privacy & Security Committee

Collision Industry Conference, July 23, 2020

Featured image: Collision Industry Conference Vehicle Data Access, Privacy & Security Committee Co-Chairman Trent Tisley (Entegral) on July 23, 2020, shared committee proposals for five “Golden Rules” aimed at keeping auto body repair information from reaching unwanted sources. (Screenshot from virtual Collision Industry Conference)

Credit to Repairer Driven News.