UNAUTHORIZED USE OF AUTO CLAIMS DATA

UNAUTHORIZED USE OF AUTO CLAIMS DATA

Privacy violations related to personal information have serious implications for consumers, insurers and their supply chain partners.

?

Stephen Applebaum? and Alan Demers, FEBRUARY 21, 2024

?

Data privacy is a sprawling, multi-faceted, complex and controversial issue that means different things to different audiences but has serious implications for businesses and consumers alike. And the issue is sure to continue to grow in importance given the explosive adoption of data-driven technology and digitization, which will drive ever greater levels of information capture and use. Meanwhile, concerns about how personal data is captured, managed and exploited are intensifying, with the emergence of more data breaches, hacking, identity theft and ransomware crimes.

?

Our focus in this piece is fairly narrow – namely the unauthorized use of personal information in the auto insurance claim reporting, damage evaluation and collision repair process. While this is just a subset of the broader data privacy issue, the implications are quite serious and affect millions of consumers, insurers and their supply chain partners and present exposure to hundreds of supply chain participants. These events occur more than 20 million times a year across a multibillion-dollar ecosystem.

?

Data Privacy

Data privacy generally means the ability of a person to determine for themselves when, how and to?what?extent personal information about them is shared with or communicated to others. This personal information can be one's name, location, contact information or online or real-world behavior. This includes personally identifiable information (PII).

If you are uncertain about what types of data make up your PII and how this relates to the subject of data privacy, you are not alone. But as technology adoption and complexity is accelerating at hyper-speed, ever increasing amounts of personal data are being collected and exchanged. As technology applications become more invasive, so do the uses of the associated data, including yours.?

?

PII is?any information connected to a specific individual that can be used to uncover that individual's identity, such as their Social Security number, license plate number, vehicle identification number (VIN), full name and physical or email address. In the context of this article, it includes details regarding an individual’s auto insurance claim, vehicle identification, damage description, accident and repair estimate.

?

Personally Identifiable Information (PII)

Despite existing rules and regulations, and the general expectation of privacy by consumers involved in this process, some of the PII captured and transmitted digitally during a claim is being used commercially in ways not anticipated or approved by claimants or the businesses involved in such claims, primarily auto insurers and collision repairers.

The implications and the damage done by these unapproved uses of PII extend beyond just the violation of consumers’ rights to include potentially significant economic cost to the victims and legal, compliance and reputational damage exposure to auto insurers and collision repairers.??

PII in the Auto Insurance Claims and Repair Process

In simple terms, what is happening is that information concerning the damaged vehicle and its owner flows digitally through claims software used by insurance companies to record claim-specific information and populates third-party collision estimating software, which in turn is integrated into collision repair body shop management systems and is frequently shared with numerous other supply chain partners.

?

This PII is being captured, with and without the knowledge of consumers, by third-party vendors that repackage and sell it to information brokers, including vehicle history reporting services that use it to earn hundreds of millions of dollars from a wide variety of users. Among these, ironically, are auto insurers that purchase the data for auto insurance underwriting purposes and collision repairers that use the data to promote their services to competitors' customers both domestically and internationally.?

?

One significant use of the data is the creation of vehicle history reports, which are sold or provided to consumers and automotive dealers and which identify the prior claims and repair history of specific vehicles. The disclosures often reduce the value to the seller. It is not uncommon for the vehicle owner to blame their insurers for divulging the information, which they consider private and confidential. At a minimum, this dispute can create reputational damage for the carrier. It could also lead to legal exposure for damages. Of critical importance here is that the vehicle owner likely never gave their permission to any party for the release of this personal information and had the right to expect all involved parties would protect it.?

??

Privacy Laws: Federal and State Level

The U.S. does not currently have a national comprehensive privacy law, despite efforts to enact one. In 2022, the U.S. House considered the American Data Privacy and Protection Act (ADPPA), the first bipartisan and bicameral bill to protect consumer data collection and privacy across nearly all sectors. It has still not been passed.

?

As a result, U.S. states have had to act independently. The most comprehensive state privacy law is currently in place in California, where voters enacted PII regulations through Proposition 24, known as the?California Privacy Rights Act (CPRA),?in 2020 and which took effect Jan. 1, 2023. Many other states have followed California’s lead by enacting similar or slightly weaker versions of CPRA, including Colorado, Connecticut, Virginia, Utah and Texas. Legislation has been approved and is pending effective dates between 2024 and 2026 in Oregon, Montana, Delaware, Iowa, Tennessee and Indiana. Vermont, Oklahoma, Kentucky, New Hampshire and Hawaii are?considering data privacy bills.

?

All these laws are slightly different, however (in defining thresholds, fines, cure periods, impact assessment, opt-outs, sensitive data and consumer rights), which can be very challenging for multi-state operators and consumers to navigate.?

?

?

?

Call to Action

Several industry associations and organizations have and continue to call for solutions. In 2012, three industry groups issued their?Joint Statement Regarding the Collection and Reporting of Repairer Business Data. These are: Society of Collision Repair Specialists, (SCRS), Alliance of Automotive Service Providers (AASP) and Automotive Services Association (ASA).??

The statement included this call to action: “This statement serves as a public request from the collision repair industry to Audatex, CCC, Mitchell and other technology firms who collect data. The industry seeks removal of contractual clauses within End User License Agreements which require permissive access to aggregate and collect end‐user data as a point‐of‐sale requirement to purchase those programs. Further, we believe that if a business is to permit their data to be mined, they should be entitled to access to an annual report specifically indicating where that data was used, and a list of parties that received reports utilizing data from the user’s system. We believe the ability for businesses to choose participation in the data collection process is a reasonable solution, and we look forward to your response.”

?

Today,?the Collision Industry Conference (CIC) has a separate committee working on this problem to help collision repairers manage the pirating of customer information?

Implications, Risks (and Opportunities) to Auto Insurance Ecosystem Participants

Software solutions have come to market such as Secure Share from CCC Intelligent Solutions (CCCIS), which allows collision repairers to securely share estimate data with third-party applications. Last month, CCCIS introduced enhanced data security feature for collision repairers writing estimates on their estimating software, which redacts the last six digits of a VIN and certain PII.?

?

Also in January,?DataTouch announced the launch of VINAnonymize, a technology that prevents collision repair estimate information from being used by VIN reporting services such as CARFAX and AutoCheck.?In addition to VINAnonymize, DataTouch offers Data Analyzer and Data Auditor?for use by collision repairers to secure PII and repair data to meet regulations and protect repair data from being sold.?

?

These early-stage solutions represent an encouraging start but still require broad industry adoption to make a real impact.? ? ??

?

For auto insurance carriers, these and other future data privacy regulations could represent an obligation to protect the private information of policyholders and ensure that their auto claims supply chain partners are adhering to all federal and state laws – no small certification compliance challenge. However, industry support and greater compliance would engender greater trust and loyalty from policyholders.??

For collision repair facilities, this recent growth in state privacy regulation highlights?the need for end-user license agreements and data collection/use consumer disclosures sooner rather than later, if not already in place. As custodians of PII, collision repairers that take additional care to protect it can elevate their brand and reputation among auto owners.?

For information providers and other supply chain partners, while their exposure and risks relative to existing and emerging privacy laws may currently be opaque, what is crystal clear is that this is an opportunity to be on the right side of regulators, consumer advocacy groups and the ultimate customer of every company involved in the auto insurance and claim process – the policyholder.

For those information providers that traffic in the unauthorized use of PII, including claims data, to produce vehicle history reports, now would be a good time to develop an alternate business model, one that complies with the spirit, intent and requirements of this growing amount of data privacy regulation. Failure to do so could cost more than it is worth.

Privacy is indeed our right and not a luxury. As Helen Nissenbaum elegantly put it - Privacy is not just a personal concern but a societal value that informs the integrity and dignity of life itself. ?? ManyMangoes stands strong with privacy protection and transparency. Let’s pave the way for a future where respect for data privacy in the auto insurance sector sets a new standard! ???? #RespectForPrivacy #DataDignity

回复
Andrew Agustin

Thought leader, product management and development professional with 14+ years of experience.

9 个月

That’s why we are very forward about consent. Good article. Thanks!

回复
Bill Ayscue

Senior Director, Claims Research at Travelers

9 个月

Lots of interesting, thoughtful info here, Stephen. Thank you.

回复

If cars came with an EULA would we feel different? My phone is a proxy for all this now.

回复

要查看或添加评论,请登录

Stephen Applebaum的更多文章

  • Unprofitable Insurance - Tail Effect Hits Auto Lines

    Unprofitable Insurance - Tail Effect Hits Auto Lines

    by: Alan Demers and Stephen Applebaum, November 18, 2024 Since 2020 the world has seen more change, disruption and…

    4 条评论
  • Embedded Insurance: Major Disruptor Can Bridge Huge Coverage Gap

    Embedded Insurance: Major Disruptor Can Bridge Huge Coverage Gap

    Embedded insurance promises to disrupt insurance distribution as well as product. Moreover, it will help close the…

  • INSURANCE DIGITALIZATION: TRANSFORMATION PENDING

    INSURANCE DIGITALIZATION: TRANSFORMATION PENDING

    The P&C Insurance Industry has yet to materially make the shift from analog to digital despite being one of the largest…

    7 条评论
  • SO MANY CONFERENCES, SO LITTLE TIME AND BUDGET

    SO MANY CONFERENCES, SO LITTLE TIME AND BUDGET

    The oversaturated insurance conference landscape; which to attend and how to maximize experience Stephen Applebaum and…

    4 条评论
  • Riding the Insurance Roller Coaster

    Riding the Insurance Roller Coaster

    By: Alan Demers and Stephen Applebaum The first American roller coaster ride was known as the ‘Switchback Railway’…

  • LESSONS LEARNED: FROM C-SUITE TO FRONT LINE

    LESSONS LEARNED: FROM C-SUITE TO FRONT LINE

    Stephen Applebaum July 28, 2024 Since entering the business world in 1966 as an apprentice accounting student, I have…

    3 条评论
  • CAN CLIMATE TECH SAVE INSURANCE?

    CAN CLIMATE TECH SAVE INSURANCE?

    The adage that “everybody talks about the weather, but nobody does anything about it” – often attributed to Mark Twain…

  • Social Inflation Decades Of Insurance Litigation Abuse

    Social Inflation Decades Of Insurance Litigation Abuse

    by Stephen Applebaum and Alan Demers The scourge of legal abuse in insurance is hardly new or even recent but rather…

    6 条评论
  • DOES THE P&C INSURANCE CYCLE NO LONGER EXIST?

    DOES THE P&C INSURANCE CYCLE NO LONGER EXIST?

    By Alan Demers, CPCU, AIC and Stephen Applebaum February 28, 2024 Today’s world is confusing, replete with mixed and…

    2 条评论
  • 2024 and Beyond: Change Becomes Non-Negotiable

    2024 and Beyond: Change Becomes Non-Negotiable

    Stephen Applebaum and Alan Demers We cannot imagine a riskier undertaking than predicting the future given the totally…

    5 条评论

社区洞察

其他会员也浏览了