CIC adopts data ‘Golden Rules’ as official work product for industry
By John Huetter on November 12, 2020
Society of Collision Repair Specialists, Repairer Driven News
The Collision Industry Conference audience on Wednesday overwhelmingly voted to adopt a set of “Golden Rules” for data as an official work product from the body.
The decision gives collision repairers and others in the ecosystem a standard of care to request from ones’ business partners, something NuGen IT President Pete Tagliapietra suggested during the CIC Vehicle Data Access, Privacy & Security Committee session containing the vote.
“I think at the end of the day, we as end users need to be more proactive in asking those types of questions,” Society of Collision Repair Specialists Executive Director Aaron Schulenburg said during the session.
84 percent of the audience voted in favor of enshrining the Golden Rules as an official work product. 4 percent voted against it, and 12 percent abstained. The size of the audience was not disclosed.
Technically, the CIC can’t force anybody to do anything. However, as the summit draws leading auto body shops, insurers, suppliers, OEMs and other collision industry stakeholders, the ecosystem consensus suggested by its official work products send a strong message to the marketplace.
“It’s not a legally binding document,” Schulenburg said during a panel accompanying the vote. “It is a best practice.”
The rules state:
1. Only use end-users’ data for the service(s) they intended for it to be used; never collect or use their data against them, or for business purposes other than those expressly intended and permitted.
2. Always provide the end-user clarity, transparency, and continuing education on the data you collect, the business purposes for which it is being used.
3. Never misappropriate end users’ data, or knowingly allow any third parties to covertly, dishonestly or unfairly access or take data generated by the end-user, for their own use.
4. Give end-users the choice to determine what data is and isn’t shared, and the opportunity to opt-out of data collection outside of the primary intended purpose.
5. Provide end-users with a clearly published, straightforward process to inquire about data that has been acquired from their business and the immediate chain of custody that data has encountered. (Minor formatting edits.)
As more companies committed that “‘I embrace these,'” it’ll become more obvious which business partners don’t, Schulenburg said. Some companies might be able to commit to four out of the five and have an explanation for the exception, “which again creates transparency,” he said.
Both Tagliapietra and fellow panelist Brandon Laur, a ClaimsCorp vice president, provided an example of two companies who had committed to safeguarding business partner data.
Tagliapietra said NuGen IT held the position “we do not resell or license” any estimate data customers send the company. “It’s been that way for quite some time,” he said. “We have no desire to change that position.”
He said NuGen had actually become “more sensitive” to this in the past 2-3 years and instituting further protection to keep trading partners from misappropriating information. “That’s a difficult position to take,” for NuGen has little control over those other parties, he noted. Nevertheless, it was committed to managing data “ethically and morally,” he said.
NuGen would take new actions in 2021 to let repairers know who their information was shared with and what NuGen IT could do to limit the amount of data shared, he said.
“Security is No. 1,” Laur said of ClaimsCorp. The company offers transparency to customers about data and obtains their consent for its usage of that data, he said.
Laur said ClaimsCorp even brings in outside firms to audit it and ensure “we’re doing what we say we are” — not just in its collection and “transition” but what people can access and which data points should be stripped out.
Seidner’s Collision Centers director of development and training Gene Lopez wondered from the audience if it would be enough for privacy-stressing California for a vendor to promise they followed the golden rules. (The implication seemed to be a scenario where the vendor’s behavior put their business partner out of compliance on state customer privacy law.) Would regulation still be necessary?
Schulenburg said that in his experience, many companies are willing to answer such privacy questions in writing. (For example, here’s CCC and PartsTrader.) Others were hesitant, he said. He argued that the legal departments for the former group of businesses wouldn’t let them commit on paper if they wouldn’t follow through.
“I think that’s a good place to start,” he said.
The need for such data Golden Rules seemed illustrated by comments from Automotive Service Association Executive Director Ray Fisher during the open mic portion of the Wednesday CIC. Fisher announced his organization had written to CARFAX CEO Dick Raines on Oct. 20 following member reports of consumer data reaching the vehicle history company.
ASA in the letter said independent repairers, multi-shop operators and dealerships had written estimates for vehicles that that appeared on CARFAX “‘whether the work was done or not'” and without those shops’ permission, according to Fisher. Such a breach affects customer satisfaction and retention, ASA wrote, according to Fisher.
The trade group told Raines it had repeatedly but unsuccessfully requested a call or meeting for clarification on how crash and estimate data reached CARFAX, according to Fisher.
Schulenburg had described a similar issue this summer and said SCRS had been unable to pinpoint the source of CARFAX leaks. Even test estimates reflecting fake damage that “could never have been reported in any other way” still make their way to CARFAX, he said in July.
CARFAX did not respond to a request for comment early Wednesday evening on the ASA letter and allegations. However, it did reply back in July when we asked it about the issue Schulenburg described then.
“Thank you for reaching out,” CARFAX public relations director Emilie Voss wrote in a email then. “More than 113,000 data sources across North America report information to CARFAX. The details associated with a single event on a CARFAX report may have been reported to CARFAX from several sources, both public and private. For more information about CARFAX’s data sources, please visit:
https://www.carfax.com/company/vhr-data-sources. Carfax recognizes the importance of accurate information, and therefore, the Help Center on www.carfax.com provides an easy, quick way to send CARFAX requests for data verifications and corrections.”
It matters that companies like Laur’s and Taligipietra’s say they don’t share information, Schulenburg said on Wednesday. A shop can evaluate such firms and conclude, “‘They align with what I’m looking for as a business,'” he said.
The issue isn’t that VIN reporting companies exist. It’s that “we haven’t been able to identify” who is proving shop data to them, he said.