Repairer Driven News
« Back « PREV Article  |  NEXT Article »

From CIC, a potential surprise for shops in CCC’s terms of use

By on
Associations | Business Practices | Education | Legal | Technology
Share This:

The Collision Industry Conference discussion of CCC’s controversial Secure Share program also pointed out a possibly surprising responsibility for body shops within the company’s existing terms of use.

Frank Terlep (Collision Diagnostic Services), who led the CIC Open Systems, Data Access and Sharing Task Force, highlighted April 20 several elements of the contracts between CCC and repairers and with its Secure Share vendors. Among them were what an auto body shop owner on the panel indicated could be a surprising and potentially impractical requirement of customer or insurer permission for any data sharing.

According to terms of use excerpts Terlep provided :

EMS Extract (Applicable if the EMS Extract Feature is licensed as specified in a Product Schedule.) CUSTOMER shall be entitled to use and disclose information extracted from an estimate which has been prepared by CUSTOMER (the “Extract Information”) by using the EMS extract feature of Comp-Est, Pathways or CCC ONE solely for the following purposes: (a) to transmit the Extract Information between Comp-Est, Pathways or CCC ONE and a management system that CUSTOMER has licensed from a third party for internal use only; (b) to transmit the Extract Information to a third party as expressly permitted in writing in advance (i) by the contracting entity for whom the estimate was created, including, but not limited to, the insurance company for whom the estimate was prepared (in the case of a repair, in connection with an insurance company’s direct repair program facility or in the case of an independent appraiser); or (ii) by the consumer for whose vehicle the estimate was created in all other cases and/or (c) transmit the Extract Information between Comp-Est, Pathways or CCC ONE to another Program licensed by CUSTOMER pursuant to this Agreement. In the event that CUSTOMER is transmitting the Extract Information pursuant to paragraph (b) above, CUSTOMER agrees to keep all written agreements from insurance companies and consumers authorizing the use and disclosure of the Extract Information and the identity of all third parties to whom the Extract Information is disclosed to by CUSTOMER.


During the term of this Agreement and for a period of twelve (12) months following the expiration and termination of this Agreement, CCC shall have the right to cause an audit and/or inspection to be made of such records in order to verify CUSTOMER’s compliance with all terms of the Agreement. CUSTOMER hereby agrees to indemnify and hold CCC harmless against all liability to third parties and expenses (including reasonable attorneys’ fees) arising from the extraction, use or disclosure of all or any part of the Extract Information. CCC may, at its option, conduct and control the defense and all related settlement negotiations in any such third party action as described herein, and CUSTOMER promises to fully cooperate with such defense at its own expense.

We asked CCC for complete copies of the CCC ONE and Secure Share terms of use so readers could see the full context rather than what had been selected by the panel. CCC declined, calling both documents confidential.

Task force member Barry Dorn (Dorn’s Body & Paint), said for most shops, the language Terlep presented would be a surprise.

An owner would read the boilerplate, and “you think you know what it means, and then, it gets deeper,” he said.

A&B CARSTAR owner Brett Bailey, another member of the task force, agreed.

“As a shop owner, number one, no, you’re not aware of it,” he said. “Number two, I don’t know that its physically possible for a shop to have permission every time our data is transferred.”

With all the data pumps and software in use by a shop, it might be impossible to comply, he said.

“Probably not,” Terlep agreed.

Terlep described the requirement as demanding permission from “every consumer and every insurer,” but CCC wrote in an email that it applied to one or the other.

For an insurer, it referred to instances of direct repair programs, CCC wrote.

Authorization is not required from both an insurer and a customer, but from either the contracting party for whom the estimate was written (that could be an insurer) or the consumer.  “Contracting,” in the context of the insurer, means DRP.  CCC owes obligations to insurers regarding the privacy of personal information and we assume, although we are not privy to the terms of the agreements, that DRP relationships have somewhat similar controls over a repair facility using personal information of insureds in the context of the repair facility–insurance company relationship.  If a consumer directly provides permission for a repair facility to use their personal information, our program assumes that is ok.  Given the intent of the Secure Share program and our history with regard to the safety and security of our customer’s data, we believe our agreements on this front are appropriate. (Emphasis CCC’s.)

The terms of use also require a shop to retain records for a year should CCC wish to audit them. CCC did not respond to a question about what records a shop would need or if it had ever audited anyone.

Still, it might be worth it to CCC users to consult with an attorney and keep adequate documentation on hand to meet these terms should the IP ever come by for an audit. And for the user and attorney to read the rest of the fine print in all vendors’ terms of use.

Ownership of data

Terlep also cautioned the Collision Industry Conference audience that the terms of use declare that a CCC customer “agrees that CCC owns all rights, titles and interests in and to the Estimatic Reports and Estimatic Reports data.”

However, CCC’s written responses to task force questions and an earlier interview have upheld that shops own their own data.

“Questions have arisen as to the impact on the data ownership rights of repair facilities and third party application owners,” CCC wrote to the task force. “Nothing in Secure Share is intended to, nor does it, impact any such ownership rights. Although amongst them there may be unique claims to rights in data related to a repair claim, the various users of CCC products and services, as between them and CCC, own the data they input into those products and services. Of course, other parties, including data providers such as OEMs and database licensors also own data that appears within our products and services, and contract terms between CCC and its customers naturally acknowledge those rights as well.”

Asked if Secure Share usage causes a shop or vendor to lose ownership of their data, CCC replied, “We cannot identify anything in the program documentation that changes any party’s current data ownership. Please provide further detail and we will look into the concern.”

However, while shops seem to own their data, they won’t necessarily be able to do anything with it conveniently unless it’s through CCC Secure Share.

The IP’s answers to the task force and to us last year suggest that anything outside of manually rekeying data to vendors not on Secure Share will be prohibited. (Though CCC in September also said shops interested in managing the files or BMS process in-house should contact it to discuss this further.)

From the CCC-task force Q&A (style/formatting edits):

1(b): (W)hat prevents CCC from gaining access to transactions that competing companies want to keep private?

We do not understand the inquiry, but if a repair facility and a third party wish to transact business with their data outside of CCC ONE and Secure Share, they are certainly entitled to do so. We do not believe that Secure Share provides CCC with any competitive advantage, if that is the concern.

5. Can a software company write a light application that does nothing but retrieve BMS from Secure Share and only certify that application?

No, data pumps are not secure and are not permitted under Secure Share.

6. Can a software company, using the above, share the data retrieved from above with other vendors?

No, data pumps are not secure and are not permitted under Secure Share.

7. Which data elements of Secure Share can be shared with another party? Assuming customer name is passed in the BMS, does CCC claim the right to restrict a shop from sharing any of its own data by virtue of that data appearing in the BMS?

The terms of the Secure Share program are available for your review. Of course, part of the security afforded by the program includes restrictions on the use and transfer of data. If an owner of data, whether it be a repair facility, an insurer, an OEM or a CCC licensor, desires to utilize its data outside of CCC ONE and Secure Share, it can do so if it is not in violation of the terms of its agreements with CCC.

10. If a collision shop uses free software from the public domain whose only purpose is to retrieve BMS from Secure Share and store it within the customers premise, a) would that software be allowed by CCC) would there be a 50 cent charge, and c) if there were a 50 cent charge, how does that reconcile with CCC’s statement that the shop doesn’t have to pay for the data?

See number 5 above.

More information:

Collision Industry Conference task force-CCC Q&A

Collision Industry Conference, April 20, 2017


Brett Bailey, A&B CARSTAR, speaks during an April 20, 2017, Collision Industry Conference panel on CCC Secure Share. (John Huetter/Repairer Driven News)

CCC ONE terms of use are shown in this slide from the CIC Open Systems, Data Access and Sharing Task Force. (CIC slide; John Huetter/Repairer Driven News)

CCC ONE terms of use are shown in this slide from the CIC Open Systems, Data Access and Sharing Task Force. (CIC slide; John Huetter/Repairer Driven News)

Frank Terlep, Collision Diagnostic Services, on April 20, 2017, leads a Collision Industry Conference panel on CCC Secure Share. (John Huetter/Repairer Driven News)

Share This: