Wednesday, 01 June 2022 13:55

CIECAST Looks at Unintended Consequences of Data Sharing in Collision Repair

Written by Abby Andrews



Share This:


CIECA on May 24 hosted its latest CIECAST webinar, “Data Sharing in the Collision Industry and Its Unintended Consequences.”

The roughly 40-minute broadcast, featuring Pete Tagliapietra, managing director of DataTouch, LLC, can be viewed at any time here.


Tagliapietra, who also founded NuGen IT before it was acquired by OEConnection, discussed the lack of security and control around the now-ubiquitous Estimate Management Standard (EMS) export, and the importance of giving collision repair facilities and customers the ability to control personal information sharing in the future.


CIECA first released the EMS Standard in April 1994, designed to allow shops to import estimate data into their management system of choice---CCC, Mitchell or Audatex.


“It was designed for internal shop use only,” Tagliapietra said. “It was never intended to be secure or used externally for ecommerce purposes.”


But since then, several companies have recognized its value as an “excellent external ecommerce tool,” Tagliapietra said, including those offering claims processing, data mining and reporting and integration with any collision repair industry stakeholders.


“Pandora’s box was opened and the EMS Standard is entrenched in the industry,” he said. “That data today is widely used for many different purposes.”


Tagliapietra said ActiveX controls and data pumps have become prolific on shops’ computer systems---which seamlessly grab EMS export data and share it wherever the data pump directs it.


“Once a data pump is installed, it will copy all estimates indefinitely until it is uninstalled,” Tagliapietra said. “That means if a shop switches and no longer uses that partner, but doesn’t uninstall the data pump, it will keep sending [data.]


“We see that as a very key issue as to what’s going on now,” he said.


Tagliapietra said repair data is the “newfound gold” in the industry.


“That data is being used way beyond what most people recognize,” he said. “It goes way beyond vehicle reporting.”


As an example, Tagliapietra said, startup electric vehicle manufacturers are looking at repair orders of competitors’ EVs, to learn what is being repaired and when, as well as...

...demographic information on who is buying those EVs.


It’s a common misconception among shops that third party providers can successfully manage personal ID info and repair data, Tagliapietra said.


“There’s no surefire way to manage it successfully unless it happens right where the shop writes an estimate,” he said.


data flow web


He showed a flow chart, above, illustrating how customers’ personal information and vehicle repair data can get from a shop to a completely unaffiliated third party.


A shop creates an estimate, then uploads the data to its estimating system provider, which attaches the EMS report via an ActiveX control or data pump.


To help facilitate the repair, the EMS data goes to parts search databases, parts providers, third party claims processors and business management systems---and it can also end up in vehicle history reports and information on parts pricing, vehicle repairability and vehicle owner demographics.


This has led to a complete lack of control of the vehicle owner’s personal info, Tagliapietra said.


“It started happening in the mid to late ‘90s, so it’s nothing new, but it now has grown to the point it’s been identified by states,” he said.

California now has strict regulations on personal information security, and other states, like Virginia and Ohio, are looking into it. Tagliapietra said many more states will follow.


“Businesses can no longer ignore the potential liabilities by not protecting personal information,” he said. “It needs to be dealt with. And it will be dealt with, but it’s just going to take time to do that.”


Paul Barry, executive director of CIECA, talked about the difference between data security and information privacy.


“Data security---think of it like home security,” Barry said. “It’s really about keeping the bad guys out.”


Businesses need to manage their own data security to prevent unwanted access, he said, using routers, firewalls, VPNs, passwords and anti-virus software.


Information privacy is a business’s policies and procedures aimed at protecting that data.


“Each business should develop a program of controls to ensure info is protected and shared appropriately,” Barry said, including password, system access and...

...information sharing policies, and training.


“Larger companies usually have this, but it doesn’t scale down well,” Barry said. “It’s something every business needs to be aware of.”


When CIECA realized EMS data was being shared broadly, Barry said, it started focusing on data segmentation---sharing only the data necessary for a particular job---which gave rise to the newer BMS standards and is figuring into developing CAPIS standards.


“If we don’t need to share a customer’s personally identifiable information, then we shouldn’t,” Barry said. “For example, a parts provider doesn’t need a customer’s home address.”


Tagliapietra said the industry as a whole is addressing the problem, but there’s a lot of work to be done.


“When you’re standing on the basement floor, there’s nowhere to go but up,” he said. “That’s where the collision repair industry is in protecting personal identification information.”


Tagliapietra said a solution needs to be offered to shops that addresses data segmentation and deletes customers’ personal information before sharing data with “practically everybody,” controlling what is shared based on what the partner---be it a parts provider, salvage yard, rental car company, etc.---actually needs.


He said he believes a solution to control data flow will be available to collision repairers by the end of 2022.


“Like any other problem the industry has faced, I’m confident, Paul’s confident, it will be dealt with,” Tagliapietra said.


“We need to move away from EMS, to a more sophisticated standard, that’s easier to manage so we don’t give away data simply to anyone who wants to take it,” he said.


Tagliapietra said currently, shops don’t have a way of finding out which data pumps are running in their systems, but that technology is coming.


“Shops should be able to identify data pumps running on their system, validate them and determine which data should be shared,” he said. “Auditing software will be available before the end of the year to detect and advise a shop on how many [pumps are running] and who’s operating them.”


Barry said there is no silver bullet that will eliminate the problem; it will require collision repairers choosing to work only with partners that will protect personal information.


“It will take shops demanding it,” Barry said. “Millions of transactions are done every year through EMS. Shops will have to say, ‘I won’t do business with you unless you’re doing it through BMS.’”


Barry said CIECA’s developing CAPIS Standards will use more current technology, but he thinks it’s going to take a while.


Share This: