Data privacy is a sprawling, multi-faceted, complex and controversial issue that means different things to different audiences but has serious implications for businesses and consumers alike. And the issue is sure to continue to grow in importance given the explosive adoption of data-driven technology and digitization, which will drive ever greater levels of information capture and use. Meanwhile, concerns about how personal data is captured, managed and exploited are intensifying, with the emergence of more data breaches, hacking, identity theft and ransomware crimes.
Our focus in this piece is fairly narrow – namely the unauthorized use of personal information in the auto insurance claim reporting, damage evaluation and collision repair process. While this is just a subset of the broader data privacy issue, the implications are quite serious and affect millions of consumers, insurers and their supply chain partners and present exposure to hundreds of supply chain participants. These events occur more than 20 million times a year across a multibillion-dollar ecosystem.
Data Privacy
Data privacy generally means the ability of a person to determine for themselves when, how and to what extent personal information about them is shared with or communicated to others. This personal information can be one's name, location, contact information or online or real-world behavior. This includes personally identifiable information (PII).
If you are uncertain about what types of data make up your PII and how this relates to the subject of data privacy, you are not alone. But as technology adoption and complexity is accelerating at hyper-speed, ever increasing amounts of personal data are being collected and exchanged. As technology applications become more invasive, so do the uses of the associated data, including yours.
PII is any information connected to a specific individual that can be used to uncover that individual's identity, such as their Social Security number, license plate number, vehicle identification number (VIN), full name and physical or email address. In the context of this article, it includes details regarding an individual’s auto insurance claim, vehicle identification, damage description, accident and repair estimate.
See also: Risks, Trends, Challenges for Cyber Insurance
Personally Identifiable Information (PII)
Despite existing rules and regulations, and the general expectation of privacy by consumers involved in this process, some of the PII captured and transmitted digitally during a claim is being used commercially in ways not anticipated or approved by claimants or the businesses involved in such claims, primarily auto insurers and collision repairers.
The implications and the damage done by these unapproved uses of PII extend beyond just the violation of consumers’ rights to include potentially significant economic cost to the victims and legal, compliance and reputational damage exposure to auto insurers and collision repairers.
PII in the Auto Insurance Claims and Repair Process
In simple terms, what is happening is that information concerning the damaged vehicle and its owner flows digitally through claims software used by insurance companies to record claim-specific information and populates third-party collision estimating software, which in turn is integrated into collision repair body shop management systems and is frequently shared with numerous other supply chain partners.
This PII is being captured, with and without the knowledge of consumers, by third-party vendors that repackage and sell it to information brokers, including vehicle history reporting services that use it to earn hundreds of millions of dollars from a wide variety of users. Among these, ironically, are auto insurers that purchase the data for auto insurance underwriting purposes and collision repairers that use the data to promote their services to competitors' customers both domestically and internationally.
One significant use of the data is the creation of vehicle history reports, which are sold or provided to consumers and automotive dealers and which identify the prior claims and repair history of specific vehicles. The disclosures often reduce the value to the seller. It is not uncommon for the vehicle owner to blame their insurers for divulging the information, which they consider private and confidential. At a minimum, this dispute can create reputational damage for the carrier. It could also lead to legal exposure for damages. Of critical importance here is that the vehicle owner likely never gave their permission to any party for the release of this personal information and had the right to expect all involved parties would protect it.
Privacy Laws: Federal and State Level
The U.S. does not currently have a national comprehensive privacy law, despite efforts to enact one. In 2022, the U.S. House considered the American Data Privacy and Protection Act (ADPPA), the first bipartisan and bicameral bill to protect consumer data collection and privacy across nearly all sectors. It has still not been passed.
As a result, U.S. states have had to act independently. The most comprehensive state privacy law is currently in place in California, where voters enacted PII regulations through Proposition 24, known as the California Privacy Rights Act (CPRA), in 2020 and which took effect Jan. 1, 2023. Many other states have followed California’s lead by enacting similar or slightly weaker versions of CPRA, including Colorado, Connecticut, Virginia, Utah and Texas. Legislation has been approved and is pending effective dates between 2024 and 2026 in Oregon, Montana, Delaware, Iowa, Tennessee and Indiana. Vermont, Oklahoma, Kentucky, New Hampshire and Hawaii are considering data privacy bills.
All these laws are slightly different, however (in defining thresholds, fines, cure periods, impact assessment, opt-outs, sensitive data and consumer rights), which can be very challenging for multi-state operators and consumers to navigate.
See also: The True Cost of Big (Bad) Data
Call to Action
Several industry associations and organizations have and continue to call for solutions. In 2012, three industry groups issued their Joint Statement Regarding the Collection and Reporting of Repairer Business Data. These are: Society of Collision Repair Specialists, (SCRS), Alliance of Automotive Service Providers (AASP) and Automotive Services Association (ASA).
The statement included this call to action: “This statement serves as a public request from the collision repair industry to Audatex, CCC, Mitchell and other technology firms who collect data. The industry seeks removal of contractual clauses within End User License Agreements which require permissive access to aggregate and collect end‐user data as a point‐of‐sale requirement to purchase those programs. Further, we believe that if a business is to permit their data to be mined, they should be entitled to access to an annual report specifically indicating where that data was used, and a list of parties that received reports utilizing data from the user’s system. We believe the ability for businesses to choose participation in the data collection process is a reasonable solution, and we look forward to your response.”
Today, the Collision Industry Conference (CIC) has a separate committee working on this problem to help collision repairers manage the pirating of customer information
Implications, Risks (and Opportunities) to Auto Insurance Ecosystem Participants
Software solutions have come to market such as Secure Share from CCC Intelligent Solutions (CCCIS), which allows collision repairers to securely share estimate data with third-party applications. Last month, CCCIS introduced enhanced data security feature for collision repairers writing estimates on their estimating software, which redacts the last six digits of a VIN and certain PII.
Also in January, DataTouch announced the launch of VINAnonymize, a technology that prevents collision repair estimate information from being used by VIN reporting services such as CARFAX and AutoCheck. In addition to VINAnonymize, DataTouch offers Data Analyzer and Data Auditor for use by collision repairers to secure PII and repair data to meet regulations and protect repair data from being sold.
These early-stage solutions represent an encouraging start but still require broad industry adoption to make a real impact.
For auto insurance carriers, these and other future data privacy regulations could represent an obligation to protect the private information of policyholders and ensure that their auto claims supply chain partners are adhering to all federal and state laws – no small certification compliance challenge. However, industry support and greater compliance would engender greater trust and loyalty from policyholders.
For collision repair facilities, this recent growth in state privacy regulation highlights the need for end-user license agreements and data collection/use consumer disclosures sooner rather than later, if not already in place. As custodians of PII, collision repairers that take additional care to protect it can elevate their brand and reputation among auto owners.
For information providers and other supply chain partners, while their exposure and risks relative to existing and emerging privacy laws may currently be opaque, what is crystal clear is that this is an opportunity to be on the right side of regulators, consumer advocacy groups and the ultimate customer of every company involved in the auto insurance and claim process – the policyholder.
For those information providers that traffic in the unauthorized use of PII, including claims data, to produce vehicle history reports, now would be a good time to develop an alternate business model, one that complies with the spirit, intent and requirements of this growing amount of data privacy regulation. Failure to do so could cost more than it is worth.