Society of Collision Repair Specialists Executive Director Aaron Schulenburg on Thursday said the organization’s testing has yet to uncover how information related to a collision repair is reaching the vehicle history company CARFAX.

“Every time we think we know, we find out that we’re wrong or that it’s not the right path,” he told the virtual Collision Industry Conference on Thursday.

Schulenburg said he constantly took calls from members and nonmembers reporting that estimates they’ve written are “somehow being captured” by the history platform, leading to customers upset their vehicle damage has been revealed. “It really is a challenge,” he said.

SCRS has even used the advice from companies like CCC and Mitchell — neither of which share data with CARFAX — to isolate estimate message files from data pumps, and the information still reaches the vehicle history company, according to Schulenburg. Even test estimates reflecting fake damage that “could never have been reported in any other way” still make their way to CARFAX, he said.

“That’s exceptionally concerning,” Schulenburg said.

In response to a question regarding insurers as a potential source, Vehicle Data Access, Privacy & Security Committee Co-Chairman Dan Risley (CCC) said that hasn’t been the case in any instance he had been associated with. He said test estimates written as customer-pay — no insurer involved — and a single part, without the part actually being ordered or a repair being performed, still are getting out. (It was unclear if Risley meant to CARFAX or another vehicle history company. Schulenburg said SCRS has mostly encountered issues with CARFAX.)

“We’ve ran our head into a wall” trying to isolate the cause, Risley said. “We just have not landed on one yet.”

Schulenburg noted that the issue of data reaching vehicle history companies “truly negatively impacts almost every entity within this industry, with maybe the exception of the VIN reporting companies themselves.”

Asked if CARFAX had been invited to participate on the committee or asked directly, Risley said the committee hadn’t contacted it directly, but the body was open to anyone.

Schulenburg said CARFAX has been present to hear concerns over the matter but haven’t commented publicly. He said he felt it was fair to say the company’s “level of assistance” hadn’t yielded any “productive responses,” only the position they protect sources.

He said he would encourage the company to correct any mischaracterization.

We asked CARFAX if Schulenburg had accurately described the company’s position and if it wished to comment further. We also asked if it wished to respond to the notion that given that test estimates would lack publicly available crash information (such as police reports), it seemed CARFAX was unethically facilitating a shop’s business partner sharing the repairer and customer’s information without permission. Finally, we asked if CARFAX took any first-party actions such as its own data pumps to obtain EMS files or if all the company’s information had been provided by third-party sources.

“Thank you for reaching out,” CARFAX public relations director Emilie Voss wrote in an email. “More than 113,000 data sources across North America report information to CARFAX.  The details associated with a single event on a CARFAX report may have been reported to CARFAX from several sources, both public and private.  For more information about CARFAX’s data sources, please visit:  https://www.carfax.com/company/vhr-data-sources.  Carfax recognizes the importance of accurate information, and therefore, the Help Center on www.carfax.com provides an easy, quick way to send CARFAX requests for data verifications and corrections.”

CARFAX’s data sources website lists “Collision repair facilities” among its nonpublic sources of information for “Accident indicators” like “Structural/frame damage” and “Collision repair history.”

It also mentions “Service/maintenance facilities,” who provide “Service or maintenance records including dates and services offered,” and “Automotive recyclers,” who share “Recycled parts that were requested for a repair.” CARFAX says it also might get “Major repair and maintenance history” from extended warranty companies and “Service and maintenance history” from automakers.

CARFAX describes other parties relevant to a collision repair as among its sources, but its examples of the information they might provide are unrelated to the customer’s repair.

CARFAX said insurers give it total loss or stolen-vehicle data; it doesn’t mention repairable vehicle claims. Rental car companies’ offerings include total loss, damage, maintenance and service information, according to CARFAX, but it appears to be referring to damage and work done on the rental car rather than the customer’s car. Dealerships also constitute a CARFAX source, but CARFAX describes them as sharing odometer and for-sale vehicle inventory data.

The references to entities like mechanical repair facilities and auto recyclers might demonstrate a need for repairers to demand privacy from all sublet and vendor business partners.

Risley told the CIC audience that information providers can offer tools to help users protect data. But this ability to assist only applied to information contained within their estimating platforms.

“Once it leaves, we have no control over that,” Risley said. The next layer of data security was “gonna have to come from you,” he said. Shops need to contact the parties receiving their data and receive the same reassurances of privacy, he said.

“When it leaves the shop” could be “the biggest elephant in the room,” Risley said.

Repairers, insurers, information providers and others frustrated by the issue might be able to address it by demanding all business partners comply with five privacy “Golden Rules” proposed Thursday by Risley’s committee.

Schulenburg said his hope is that the Golden Rules foster an industry of business partners who can adopt them and say “‘my end users can hold me accountable to these Golden Rules.’” Speaking on behalf of auto body shops, he said none of the rules seemed to constitute an unreasonable expectation, and they represented something “many of the end users have been asking for for quite some time.”

More information:

“Golden Rules” slides from Vehicle Data Access, Privacy & Security Committee

Collision Industry Conference, July 23, 2020

“CARFAX Vehicle History Data Sources” webpage

Images:

An inflatable CARFAX mascot is seen outside of a Sacramento, Calif., dealership in March 2014. (slobo/iStock)

Clockwise from top left, CIC Vehicle Data Access, Privacy & Security Committee Co-Chairman Trent Tinsley (Entegral); Society of Collision Repair Specialists Executive Director Aaron Schulenburg, committee Co-Chairman Dan Risley (CCC); and Jack Rozint, senior vice president of sales and service, repair for Mitchell auto physical damage solutions, participate in a committee session during the virtual Collision Industry Conference on July 23, 2020. (Screenshot from CIC virtual event)