Collision repair estimate information is still largely not well guarded, and the consequences are felt by auto body shops -- and their customers.
Pete Tagliapietra, managing director of DataTouch, appeared on a CIECA webinar to talk about how estimate information is obtained by third-party companies, who is obtaining it and how they are using it to generate revenue, who they are selling it to and why, and how government legislation is trying to intervene.
Tagliapietra began by reviewing the typical workflow of a claim. When an estimate is saved and exported by a shop to an estimating provider, that data is passed on to integrated supply chain partners. Or the shop can send the data directly to its supply chain providers, like parts vendors and rental car companies.
That estimate data includes vehicle history; shop information like labor rates, insurance partners and vendors; vehicle repair information; and personal customer information.
Tagliapietra offered a list of sources that currently collect that data.
“This list is not meant to be all encompassing, but it will give an idea of the magnitude of the information being collected and how it’s being collected,” he said.
That list includes state DMVs, police departments, the National Highway Transportation Safety Agency, the National Insurance Crime Bureau, OEM repair information providers and parts suppliers.
Towing companies also collect data when they take photos of vehicles, including their VINs, when towing them from accident scenes, as do body shop IT providers and mechanical repairers, both independents and dealerships.
“It’s well known the majority [of mechanical repairers] sell vehicle info to reporting services,” Tagliapietra said.
Any supply chain provider that has a data pump installed on a body shop’s computer system is collecting data.
“Any time an estimate is written and exported, that VIN is now in the public domain, and there’s a chance that estimate will also be in the public domain,” Tagliapietra said.
“Anyone in the automotive service industry who has a business management system, there’s a probability that information is being collected,” he said, though that doesn’t necessarily mean they’re repurposing and selling it.
Tagliapietra said his company has never analyzed a data pump that only collects the estimate that’s relative to a specific provider.
“Every data pump we’ve monitored collects every estimate being generated by that shop computer,” he said.
Who May Buy Customer Info and Repair Data?
Vehicle history reporters like CARFAX are key benefactors of estimate data. They can combine photos from a tow company with a parts order to draw conclusions about damage without even seeing an estimate, Tagliapietra said.
Parts manufacturers and suppliers use the data to determine which parts to prioritize in production and manage inventory.
Insurance reporting bureaus get data from DMVs or insurance service offices, but they can also purchase it from private sector companies.
OEMs, both foreign and domestic, use data to see how their competitors’ vehicles are being damaged compared to their own.
Information database resellers use estimate data to create lists they then sell. It may be lists of body shops in a certain region, customer and insurance policy holders, OEM and alternative parts procurement by ZIP code, vehicle market share by ZIP code, or vehicle value and repairability, which is valuable to insurance companies for determining rating systems.
“It’s also available for abuse and being nefariously repurposed when it shouldn’t be,” Tagliapietra said.
For example, in July 2022, an unnamed company was reportedly offering to sell estimate info to local competitor shops, who could then try to contact the customer and “steal” them.
The company said it could provide 138,000 quotes a day, each including customers’ names, addresses, phone numbers and email addresses; the insurance provider and body shop that generated the quote; and vehicle and parts data.
Tagliapietra called it “an egregious example of how data taken from a shop was nefariously misappropriated and used against the shop; just an abysmal situation.”
What Are Legislators Doing?
The federal government hasn’t successfully passed any data security laws, but state governments are starting to step in.
California, Connecticut, Colorado, Iowa, Utah and Virginia all have enacted comprehensive consumer data privacy laws. Seven other states are currently in the process, and it is “unquestionable more will follow,” Tagliapietra said.
That legislation also means the possibility of non-compliant businesses, like collision repairers, getting fined.
A proposed Texas law would also impose new rules on data brokers.
What Can Be Done Now?
In 1996, CIECA’s EMS standard was launched, revolutionizing e-commerce in the collision repair industry but opening a Pandora’s box, Tagliapietra said.
“The original intent was just to let a body shop download an estimate into multiple management systems,” he said. “But CIECA is not in the data security business, it’s in the standards business.”
Until recently, there haven’t been tools available to help shops protect customers’ personal information on estimates, but tools are now becoming available.
Some can remove customer and policyholder information before it’s copied through a data pump, or only allow a specific estimate to be shared with each supply chain and IT provider. Some also segment the estimate repair line information so only relevant data is sent to supply chain providers -- for example: parts providers don’t need to know labor rates.
How to Stay Ahead
To keep up with new developments in data security, Tagliapietra suggested paying attention to the Collision Industry Conference’s Data Security Committee’s updates at quarterly CIC meetings.
He also suggested repairers look for estimating software providers that state they do not share personal information.
“When an estimating provider states to the industry and publishes that they do not share their information, I find that very refreshing,” Tagliapietra said. “So I would suggest our audience pay attention to what information providers say in writing they do not share their estimate information.”
He also suggested researching the tools available to audit your own shop’s computer system to identify data pumps running and what information they’re collecting from estimates.
But, Tagliapietra said, repairers have to remember information may have to be shared with another party that might then sell it – for example, a part search may go out to several different dealerships that may have a management system that sells information.
“I’m not here to point the finger at anybody, but we have to think about all the possibilities, how prolific the problem is today and how we’re going to start getting our arms around it,” Tagliapietra said.
Abby Andrews