CCC quality repair and market development Vice President on Tuesday confirmed the company wasn’t sharing collision repairers’ data with CARFAX and offered ways to shut down whoever was.

“We don’t share data with CARFAX, never have shared data with CARFAX, have no intention of sharing data with CARFAX,” Risley told the Collision Industry Conference. He said he’s “gotten this” weekly for the past year and a half. (Risley started with CCC in summer 2018.)

A slide shown to the conference also declared, “CCC does not and has not ever shared data with CARFAX.”

OEConnection recently made a similar declaration to users, meriting a “big shout out” from Risley’s CCC Data Access, Privacy & Security Committee Co-Chairman Frank Terlep (asTech) on Tuesday. Terlep said a third company had done the same but didn’t identify it at the CIC.

Society of Collision Repair Specialists Executive Director Aaron Schulenburg in July said repairers seem to be experiencing more issues with customer vehicles mysteriously flagged by vehicle history companies.

In the past, such incidents have been “one-off” and infrequent, but lately, the concerns and questions from SCRS members seem to have come in at a “very increasing pace,” he told an SCRS open board meeting in the summer. The volume suggests it’s no longer an anomalous issue, according to Schulenburg.

Risley said CCC — which historically has held the bulk of the estimating software market share — has protected data “for a long time.” He said the rumor he’s heard from the industry since joining CCC was that the company had the ability to do whatever it wanted with data and share information with whoever it wanted.

He said CCC’s data policy intentionally limited what it could do without obtaining additional repairer consent.

Risley shared a slide describing what he called the licensing terms  in place for a while.

According to the slide, CCC used data “in the programs for repairers to manage estimates and repairs”; “to provide reporting back” to repairers; “deidentified and used in the aggregate” to inform the industry, such as the statistics seen in “Crash Course”; and “internally for trend analysis, research and development, and to make improvements to the products.”

The aggregated data meant nothing claim-specific, according to Risley.

Any deviation from this would be submitted to the repairer for approval, Risley said.

“We are absolutely restricting ourselves,” Risley said.

Risley suggested one source of data leaks could be the EMS estimate files sitting unencrypted on a repairer’s computers.

“It’s not encrypted,” he said. Any vendor data pumps were sucking up the entire estimate file, he said.

It’s possible that over the years a shop has installed a data pump for a vendor they no longer use, including during a software demo. Data could be going out to parties without the repairer realizing it. Or perhaps a vendor you’re not using on that particular estimate.

Risley advised body shops to identify which of their business partners used EMS and create a unique directory for each one, rather than having all data pumps point to the same place. CCC shared what appeared to be similar step by step instructions with SCRS in 2014.

Creating the new unique directories will break the old EMS path, Risley said.

“You’re basically starting with a clean slate,” he said.

Risley said repairers also forget to configure individual workstations. Just because the shop designated paths on one computer won’t apply them to other computers on the shop.

“Shut ’em all off” on other workstations, he advised the CIC audience. (i.e. don’t export EMS files on those computers). This limited the amount of access to data, he said.

“You need to do some research” to determine both who is pumping your data but also who they’re giving it to, Risley said.

It’s possible that the vendor receiving your data isn’t leaking your data directly — but they’re sharing it with someone else who is, Risley said.

Another option is to use CCC’s Secure Share option for transmitting the more modern BMS file framework and configuring who could access what. 24 vendors are currently available there, and CCC encrypts the data being communicated.

Confronting other rumors, Risley joked of a “pretty big announcement” — nothing had changed.

BMS would continue to be free, he said. CCC will continue to support EMS and BMS, he said.

Finally, Risley also pointed out how a repairer could customize both who could receive data through UpdatePlus and how much of was shared with those individual parties.

‘Golden Rules’

Terlep said the CIC committee also sought to help shops better control data and outlined a series of plans to be incorporated into a tutorial.

He said one key element would involve educating shops how to determine who is accessing data and how to request and determine what data is being collected by another party.

Terlep said the committee also wanted to create a map of data sharing entities — who does each company receiving repairers’ information share data with?

“That’s a pretty big project,” Terlep said.

The committee also has developed what it feels are “golden rules” related to data use, sharing, security.

According to what Terlep called a first draft, these would include:

1. Never use data against your customers/end users, but rather in their service.

2. Provide clarity and education on what kinds of data are to be used, why and how (e.g., anonymous vs. personalized), with a simple experience in the “terms and conditions” acceptance.

3. Do not misuse and do not allow potential third parties to misuse data, aggressively promote data security and respect of privacy, and be clear on “legal aspects.”

4. Give customers/end users the choice of what to share and what not to share and for which purposes (i.e., customers need to be in control of their own data); periodically remind customers that they can revise the parameters of data sharing.

5. Make gathered data available to customers/end users. (Minor formatting edits.)

He said the committee would challenge companies to agree to these rules.

Terlep said the committee would love more participation for feedback; contact him or Risley at fterlep@astech.com and drisley@cccis.com, respectively.

More information:

Collision Industry Conference Data Access, Privacy & Security Committee webpage

CCC data policy

Images:

CIC Data Access, Privacy & Security Committee Co-Chairman Dan Risley (CCC) on Nov. 5, 2019, told the Collision Industry Conference that CCC had not and does not give shops’ data to CARFAX. (John Huetter/Repairer Driven News)

CIC Data Access, Privacy & Security Committee Co-Chairman Dan Risley (CCC) on Nov. 5, 2019, told the Collision Industry Conference that CCC had not given and does not give shops’ data to CARFAX. (CCC/Collision Industry Conference slide; photo by John Huetter/Repairer Driven News)

The Collision Industry Conference Data Access, Privacy & Security Committee is working on a tutorial addressing the points discussed here, according to Co-Chairman Frank Terlep (asTech). (Slide from Collision Industry Conference; photo by John Huetter/Repairer Driven News)

CIC Data Access, Privacy & Security Committee Co-Chairman Frank Terlep (asTech) on Nov. 5, 2019, stands next to a draft of “Golden Rules” the committee plans to eventually challenge companies to adopt. (John Huetter/Repairer Driven News)