Many shops and their third-party business partners (rental car agencies, parts suppliers, etc.) continue to use the 22-year-old Estimate Management Standard, which was supposed to have retired in 2003 in favor of the Business Message Suite.
EMS and BMS are standardized information output formats that essentially allow different collision repair software to “talk” to each other.
Many, many collision repairers and associated companies still relied on EMS to do business, Rozint said, and Mitchell had no plans to discontinue EMS support. “From a repairer perspective, that is not a good announcement at all,” he said.
Rozint acknowledged that that all the major insurers and MSOs all use BMS, which spoke to its utility. He also agreed that the newer standard was more efficient, more secure and technically more programmer-friendly, exporting XML versus dBASE IV. (Though Rozint argued that for practical purposes, sticking with a format more common to the collision repair ecosystem would still be more convenient for developers within it.)
But despite what are “clearly technical advantages” and “clearly security advantages” with BMS, Rozint said an even stronger common sense argument demanded retaining EMS: “If it’s not broke, don’t fix it.”
The head of the Collision Industry Electronic Commerce Association, the organization which developed both standards (think of it like a nichey W3C) and has representatives of all three IPs on its board, was joyous at the change.
“We’re pretty excited about BMS being implemented in the repair facilities,” CIECA Executive Director Fred Iantorno said Thursday.
CIECA had “for a very long time” urged the industry — and IPs — to switch to BMS, pointing out how EMS exports are terribly insecure and outdated, Iantorno said. Now that it was a reality, “you’re kind of at a loss for words,” he said.
“You can imagine, we’re pretty excited,” he said. “We hope that the others (Mitchell and AudaExplore) follow suit.”
Phone and email messages left for AudaExplore staff and a PR representative Thursday were unreturned.
Any company needing EMS data today can obtain it either by installing a “data pump” on a collision repairer’s computers to capture the EMS file or having the shop upload it somewhere. Unfortunately, this means the other party gets and can use every single field of the file, not just the information they need to conduct business with the shop — or even should see. In the data pump example, it’s even worse, as the pump can automatically collect files from the EMS directory for estimates through which the pumper had no role.
The Society of Collision Repair Specialists, another BMS proponent, has pointed out such EMS concerns.
In 2015, it gave the example of a member which faced suspension from a direct repair program after a customer’s loss appeared on a VIN reporting database — despite neither the shop nor IP having released that information. Without filters on recipients and agreements about what is and isn’t acceptable use of one’s data, EMS can leave a shop much more vulnerable. (Technically, someone could sell BMS data too, but there’d be a lot less of it transmitted unfiltered and fewer chances some forgotten data pump is getting it without the shop’s knowledge.)
And if you needed an even timelier example, failure to take security seriously just produced the PR and legal nightmare of 500 million users being breached at Yahoo, the New York Times reported Thursday.
Under this system, the shop wouldn’t have to bother with disseminating the data or having a pump. It would simply identify recipients, and CCC ONE/Secure Share would send those third parties just the data they needed to know.
Caliber Collision, one of the largest auto body chains in the country, also noted the security concerns. However, its IT head said during a March “CIECAst” that from an MSO’s perspective, the bigger problem was the inefficiency of EMS on a computer network.
Rozint, however, said that aside from a couple of anecdotal stories floating around the industry, a CIC data privacy committee couldn’t find any example of how EMS had caused a privacy breach or misuse of data.
In fact, he said, EMS data had been “flying all over God’s green earth” for more than a decade without major complications.
Even if one occurred, “the license agreements kind of flow downhill,” Rozint said. Mitchell could just pull the plug on an offender’s agreement — and odds are good it could figure out who did it.
“It would be very simple” to find out the source of a leak, he said.