The collision repair industry and auto insurance carriers need to take further steps to protect consumer data as technology and privacy crimes advance, according to an article recently published by Insurance Thought Leadership written by Steven Applebaum, Insurance Solutions Group managing partner, and Alan Demers, InsurTech Consulting president. 

“Our focus in this piece is fairly narrow — namely the unauthorized use of personal information in the auto insurance claim reporting, damage evaluation, and collision repair process,” the article says. “While this is just a subset of the broader data privacy issue, the implications are quite serious and affect millions of consumers, insurers, and their supply chain partner and present exposure to hundreds of supply chain participants.” 

Applebaum and Demers said the advancement of technology, such as telematics, helps insurers reduce costs. Technology, such as estimating tools, also helps document the collision repair process. However, if data is not protected in both industries, consumers can lose trust in the claims process. 

“Consumers’ and policyholders’ information is getting harvested and they may or may not know about that,” Demers said in a Repairer Driven News interview. “It is a matter of time before something does happen and there is much more attention to this topic.” 

The article focuses on personally identifiable information (PII) captured during a claims process being used commercially in ways not approved by claimants or businesses involved in the claims, including auto insurers and collision repairers. This information could include the vehicle identification number (VIN), damage description, and repair estimate. 

“The implications and the damage done by these unapproved uses of PII extend beyond just the violation of consumers’ rights to include potentially significant economic costs to the victims and legal, compliance and reputational damage exposure to auto insurers and collision repairers,” the article says. 

The information enters the digital world through multiple avenues. It is shared across software platforms, including claims software used by insurance companies, third-party collision estimating software, and collision repair body shop management systems. 

“This PII is being captured, with and without the knowledge of consumers, by third-party vendors who repackage and sell it to information brokers, including vehicle history reporting services who use it to earn hundreds of millions of dollars from a wide variety of users,” the article says. “Among these ironically are auto insurers who purchase the data for auto insurance underwriting purposes and collision repairers who use the data to promote their services to competitor’s customers both domestically and internationally.”

Demers said it is hard to avoid sharing data in today’s world. 

“We are conscious that everything we do is tracked and monitored; some for good and some for less than good reasons,” Demers said. “In order for me to get anything done these days, I have to give up my information. You pause for a moment and then life goes on.” 

The same thing happens in the insurance and repair industry, Demers said. He said consumers aren’t aware of where the data goes. 

Demers said that is why the industry itself needs to spotlight the issue. 

Repair and claim data is often used in vehicle history reports sold to automotive dealers. The information often results in a diminution of value to the seller, the article says. 

“It is not uncommon for the vehicle owner to blame their insurers for divulging the information which they consider private and confidential,” the article says. “At a minimum, this can create reputational damage for the carrier and could also lead to legal exposure for damages. Of critical importance here is that the vehicle owner likely never gave their permission to any party for the release of this personal information and had the right to expect all involved parties would protect it.”

Applebaum said he’s personally been contacted by consumers about vehicle history reports.

“I’ve heard so many horror stories,” Applebaum said. “I received a call from one of our policyholders — he wanted to know why we told anyone about the accident he had three years ago.” 

The policyholder didn’t feel anyone had the right to sell his information, Applebaum said. He said the policyholder ultimately lost money when reselling his vehicle, even with the vehicle being properly restored to its condition before the incident. 

Applebaum said everyone, from the consumer to the insurer and repairer, deserves to know where the information collected is going.

“We spotlight this issue to bring all the entities together so that all stakeholders can benefit,” Demers said. “We ask the industry to collaborate as they have so many times.” 

Society of Collision Repair Specialists (SCRS) Executive Director Aaron Schulenburg at a Collision Industry Conference (CIC) meeting in 2022 about a third-party attempting to sell SCRS consumer data. He said the business claimed to collect 86% of all quoted collision repairs in North America.

How the information has leaked to outside companies has been difficult to track by the industry, with multiple software companies such as Mitchell and CCC denying sharing the information with companies such as CARFAX. 

Applebaum and Demers said they hope the article encourages the continued forward movement by technology firms partly influenced by the 2012 “Joint Statement Regarding the Collection and Reporting of Repairer Business Data.”

The statement was signed by the Society of Collision Repair Specialists, Alliance of Automotive Service Providers, and Automotive Services Association. It asked firms that collect data to remove contractual clauses that require access to aggregate and collect data as a point-of-sale. It also asks for an annual report that indicates how mined data was used. 

Since the statement was released, some software companies have made steps to protect consumer data, the article says. 

CCC Intelligent Solutions (CCC) released Secure Share, which protects estimate data shared with third-party applications. Recently, CCC also introduced a feature that redacts the last six digits of a VIN and some PII, the article says. 

In January, DataTouch launched VINAnonymize, which prevents estimates and VIN reporting to services such as CARFAX and AutoCheck. DataTouch also provides Data Analyzer and Data Auditor, which protects information from being sold. 

CIC focuses on the issue of data privacy via a Data Access, Privacy, and Security Committee. Last year, the committee provided tips on business practices the industry can use to protect consumer information. 

This year, the committee is moderating a panel that will include a representative from Experian, Dan Risely, CIC vice president of Quality Repair and Market Development, said. 

“We will be exploring how data is aggregated and the process/tools to have incorrect data removed from a vehicle history report,” Risely said. 

The Insurance Thought Leadership article notes a forward movement in protecting data in the industry. However, it encourages everyone to work together to do more. 

“For auto insurance carriers, these and other future data privacy regulations could represent an obligation to protect the private information of policyholders and ensure that their auto claims supply chain partners are adhering to all federal and state laws — no small certification compliance challenge,” the article says. “However, pro-active industry support and greater compliance would engender greater trust and loyalty from policyholders.”

States have started tackling the issue of data privacy, with the California Privacy Rights Act taking effect in 2023. Colorado, Connecticut, Virginia, Utah, and Texas have similar laws with varying effective dates. Other states such as Oregon, Montana, Delaware, Iowa, Tennessee, Indiana, Vermont, Oklahoma, Kentucky, New Hampshire, and Hawaii are considering data privacy bills, the article said. 

As state laws change, it is more important for insurers and collision repair facilities to protect data, the article says. Protecting consumer data also helps build a positive brand and reputation, it says. 

“For information providers and other supply chain partners, while their exposure and risks relative to existing and emerging privacy laws may currently be opaque, what is crystal clear is that this is an opportunity to be on the right side of regulators, consumer advocacy groups and the ultimate customer of every company involved in the auto insurance and claim process — the policyholder,” the article says. “For those information providers who traffic in the unauthorized use of PII, including claims data, to produce vehicle history reports, now would be a good time to develop an alternate business model, one which complies with the spirit, intent, and requirements of this growing amount of data privacy regulation. Failure to do so could cost more than it is worth.”

IMAGES

Photo courtesy of Peach_iStock/iStock