SCRS provides tips on protecting shop & consumer PII

The Society for Collision Repair Specialists (SCRS) Education Committee is working to bring awareness to repairers about how to protect consumer and shop data that is collected and stored on vehicle modules, like data on a computer hard drive, or in cloud-based drives.

As committee member and co-presenter Ron Reichen pointed out during the July SCRS Board’s open meeting, information is harvested by many vehicles through GPS, OnStar connections, cameras, and infotainment systems.

“When you look at what that does, it ties that car into so many personal effects that the consumer is doing on a daily basis,” he said. “It could track doctor’s appointments. It could track where you drop off your children at daycare.”

And when phones are connected to or synced with vehicles even more data is collected, including personal contact lists, recent call history, browsing history, credit card information, texts, emails, social media feeds, and more. Crash data is also stored through vehicles’ event data recorders (EDRs), which could track the speed of the car at impact, if the driver’s foot was on the brake or gas pedal, angle of impact, how the occupants moved around in the vehicle during the collision, and if supplemental restraint systems worked. The committee found that data is collected by OEMs for vehicle design and safety research and can also be collected by law enforcement and insurers. As the amount of information available increases, carriers would likely use it to record driving characteristics and in settling insurance claims, such as user-based insurance (UBI), Reichen said.

Telematics use two-way communication and is connected directly to the car through OEM or aftermarket access points, committee member co-presenter Amber Alley said. Remote diagnostics tools and insurance carrier UBI dongles also use telematics.

Alley said it’s often hard to find information about data is collected by EDRs but it’s best to start by checking owner’s manuals. For example, the committee showed an excerpt from a Jaguar owner’s manual that states, “no data are recorded by the EDR under normal driving conditions and no personal data (eg name, gender, age, and crash location) are recorded. However, other parties, such as law enforcement, could combine the EDR data with the type of personally identifying data routinely acquired during a crash investigation.”

Video that vehicles record is also a new concern for consumers and repairers when vehicles are declared total losses or are later sold. Two examples are Tesla’s Model 3 Sentry Mode and Rivian’s Gear Guard. Both record and store video from the outside of the vehicles.

“The car manufacturers are putting this in, both Tesla and Rivian, because they understand there’s a demand for that but there’s also some privacy issues,” Alley said. She and Reichen noted that the ongoing recording could be both positive and negative. It could record a nearby assault and vandalism of the vehicle itself but could also record passerby’s personal information without them knowing.

Lucid has a data protection feature built into its vehicles’ key fobs. Without having it, there’s no way to access data that’s stored on the vehicle.

“We’re losing our privacy and, as a shop, what should we be doing to protect our customers as well as ourselves in these situations? Should you be going in and erasing these videos? That’s something for us to think about,” Alley said.

Reichen added that when a TL vehicle leaves a shop, it goes through a lot of hands – transporters, tow yard and auction employees, and others that could have access to the data then after the car is sold it meets more hands to either be disassembled and recycled, rebuilt, or sold offshore for personally identifiable information (PII) to end up in a foreign country.

The committee determined it would be a best practice for shops to get authorization from their customers to reset or clear PII data for TL vehicles or vehicles they intend to sell and have them sign a release to avoid any liability with the procedure. The procedure, according to Data Enhancement Gateway (DEG) Administrator Danny Gredinberg would be not-included.

As always, which Reichen pointed out, repairers should research and document OEM procedures and vehicle build data to find out what features are on each vehicle and to repair them correctly. Every operation and repair that is performed should also be documented.

Alley said another way for shops to protect themselves and their customers’ information is to remove anything that identifies either such as windshield and key tags, paperwork, seat covers with the shop name on them, and any personal belongings from TL vehicles. Doing so prevents future owner(s) from tracking down the previous owner and the shop to ask for details about the car that should only be shared with the owner at the time of the TL determination. This is also a good practice for vehicles that are repaired, minus removing customers’ personal belongings, to avoid future owner(s) calling to ask about parts and repair information, Alley said.

The audience for the committee’s presentation had some suggestions and questions about protecting shop and consumer data. One suggestion was for shops to offer data deletion as a service to bring repair customers back in if they decide to sell their vehicle in the future. Reichen called that a great idea.

Another asked for the committee’s thoughts on connecting or synching phones with rental cars. Alley said renters should consider not doing either or look in the owner’s manual to see how to delete PII before returning the vehicle because any information that’s stored will be stored until it’s deleted.

“Repairers have an obligation to communicate that to the customer,” Reichen said, referring to the risk associated with connecting their phones to rent vehicles. “They’re just not going to assume that that’s going on so we need to be that voice. We need to remind them of that.”

A third audience member, Mark Olson of VECO Collision Experts, cautioned repairers to be careful to not delete any location or crash data off vehicles because doing so could negatively affect crash investigation, which can sometimes be conducted years later. He recommended not only getting permission from the owners to clear all data but also from insurance carriers and law enforcement. In response, Alley noted that the committee doesn’t support deleting crash data and Reichen said some data can only be harvested by OEMs.

As legislation continues to be enacted at both the state and federal levels, repairers may want to start thinking about developing SOPs for vehicle data protection and/or removal. As Silver, Golub & Teitellattorney Steven Bloch pointed out during the Collision Industry Conference (CIC)’s July meeting, there are existing laws in every state on data privacy and new legislation is becoming stricter about the responsibilities that each party in the data supply chain has to the owners.

A bipartisan and bicameral bill was introduced in the US House last month to protect consumer data collection and privacy across nearly all sectors, including automakers and car dealers. HR 8152, the “American Data Privacy and Protection Act,” seeks to “provide consumers with foundational data privacy rights, create strong oversight enforcement mechanisms, and establish meaningful ones.” It was ordered by the House on July 20 to be amended.

Since 2006, the National Highway Traffic Safety Administration (NHTSA) has regulated uniform EDR requirements “for the accuracy, collection, storage, survivability, and retrievability of onboard motor vehicle crash event data in passenger cars and other light vehicles equipped with EDRs.”

The regulations also require EDRs to only “record a minimum set of specified data elements; standardizes the format in which those data are recorded; helps to ensure the crash survivability of an EDR and its data by requiring that the EDR function during and after the front and side vehicle crash tests specified in two Federal Motor Vehicle Safety Standards; and requires vehicle manufacturers to ensure the commercial availability of the tools necessary to enable crash convicts to retrieve data from EDRs.”

In 2012, NHTSA considered making EDRs a required component in most light-duty vehicles but later determined it wasn’t necessary because an estimated 96% of model year 2013 passenger and light-duty vehicles were already equipped with EDRs.

IMAGES

Featured image: iambuff/iStock

Share this: