- Where Insurance & Technology Meet

Data Privacy’s Dirty Little Secrets: Big Implications for the Auto Insurance Ecosystem

by Stephen Applebaum and Alan Demers

Data privacy is a sprawling, multi-faceted, complex, and controversial issue which means different things to different audiences but has serious implications for businesses and consumers alike. And it is sure to continue to grow exponentially with the explosive adoption of data-driven technology and digitization which will drive ever greater levels of information capture and use. Meanwhile, concerns about how personal data is captured, managed and exploited are intensifying with the emergence of more data breaches, hacking, identity theft and ransomware crimes.

Our focus in this piece is fairly narrow – namely the unauthorized use of personal information in the auto insurance claim reporting, damage evaluation and collision repair process. While this is just a subset of the broader data privacy issue, the implications are quite serious and affect millions of consumers, insurers, and their supply chain partner and present exposure to hundreds of supply chain participants. These events occur more than 20 million times a year across a multi-billion-dollar ecosystem.

Data Privacy

Data privacy generally means the ability of a person to determine for themselves when, how, and to what extent personal information about them is shared with or communicated to others. This personal information can be one’s name, location, contact information, or online or real-world behavior. This includes but is not limited to Personally Identifiable Information (PII).

If you are uncertain about what types of data make up your Personally Identifiable Information (PII) and how this relates to the subject of data privacy, you are not alone. But as technology adoption and complexity is accelerating at hyper-speed, ever increasing amounts of personal data are being collected and exchanged. As technology applications become more invasive, so do the uses of the associated data, including yours.

Personally Identifiable Information (PII) is any information connected to a specific individual that can be used to uncover that individual’s identity, such as their social security number, license plate number, Vehicle Information Number (VIN), full name, and physical and/or email address. In the context of this article, it includes details regarding an individual’s auto insurance claim, vehicle identification, damage description, accident and repair estimate.

Personally Identifiable Information (PII)

Despite existing rules and regulations, and the general expectation of privacy by consumers involved in this process, some of the PII captured and transmitted digitally during a claim is being used commercially in ways not anticipated or approved by claimants or the businesses involved in such claims, primarily auto insurers and collision repairers.

The implications and the damage done by these unapproved uses of PII extend beyond just the violation of consumers’ rights to include potentially significant economic cost to the victims and legal, compliance and reputational damage exposure to auto insurers and collision repairers.

PII in the Auto Insurance Claims and Repair Process

In simple terms, what is happening is that information concerning the damaged vehicle and its owner flows digitally through claims software used by insurance companies to record claim specific information and populates third party collision estimating software which in turn is integrated into collision repair bodyshop management systems and is frequently shared with numerous other supply chain partners.

This PII is being captured, with and without the knowledge of consumers, by third party vendors who repackage and sell it to information brokers, including vehicle history reporting services who use it to earn hundreds of millions of dollars from a wide variety of users. Among these ironically are auto insurers who purchase the data for auto insurance underwriting purposes and collision repairers who use the data to promote their services to competitor’s customers both domestically and internationally.

One significant use of the data is the creation of vehicle history reports which are sold and/or provided to consumers and automotive dealers and which identify the prior claims and repair history of specific vehicles, which disclosures often results in a diminution of value to the seller. It is not uncommon for the vehicle owner to blame their insurers for divulging the information which they consider private and confidential. At a minimum, this can create reputational damage for the carrier and could also lead to legal exposure for damages. Of critical importance here is that the vehicle owner likely never gave their permission to any party for the release of this personal information and had the right to expect all involved parties would protect it.

Privacy Laws: Federal and State Level

The United States does not currently have a national comprehensive privacy law, despite efforts to enact one. In 2022, the U.S. House considered the “American Data Privacy and Protection Act (ADPPA)”, the first bipartisan and bicameral bill to protect consumer data collection and privacy across nearly all sectors. It has still not been passed.

As a result, U.S. states have had to act independently. The most comprehensive state privacy law is currently in place in California where voters enacted PII regulations through Proposition 24, known as the “California Privacy Rights Act (CPRA)”, in 2020 and which took effect Jan. 1, 2023. Many other states have followed California’s lead by enacting similar or slightly weaker versions of CPRA including CO, CT, VA, UT, and TX.  Legislation has been approved and is pending effective dates between 2024 and 2026 in OR, MT. DE. IA. TN and IN and VT, OK, KY, NH, and HI are currently considering data privacy bills.

All these laws are slightly different, however (in defining thresholds, fines, cure periods, impact assessment, opt-outs, sensitive data, and consumer rights) which can be very challenging for multi-state operators and consumers to navigate.

Call to Action

Several industry associations and organizations have and continue to call for solutions. In 2012, three industry groups issued their “Joint Statement Regarding the Collection and Reporting of Repairer Business Data”. These include “Society if Collision Repair Specialists, (SCRS),” “Alliance of Automotive Service Providers (AASP)” and “Automotive Services Association (ASA).

The Joint Statement included this call to action – “This statement serves as a public request from the collision repair industry to Audatex, CCC, Mitchell and other technology firms who collect data. The industry seeks removal of contractual clauses within End User License Agreements which require permissive access to aggregate and collect end‐user data as a point‐of‐sale requirement to purchase those programs. Further, we believe that if a business is to permit their data to be mined, they should be entitled access to an annual report specifically indicating where that data was used, and a list of parties that received reports utilizing data from the user’s system. We believe the ability for businesses to choose participation in the data collection process is a reasonable solution, and we look forward to your response.”

Today, the Collision Industry Conference (CIC) has a separate committee working on this problem to help collision repairers manage the pirating of customer information

Implications, Risks (and Opportunities) to Auto Insurance Ecosystem Participants

Software solutions have come to market such as Secure Share from CCC Intelligent Solutions (CCCIS) which allows collision repairers to securely share estimate data with third party applications. Last month, CCCIS introduced enhanced data security feature for collision repairers writing estimates on their estimating software which redacts the last six digits of a Vehicle Identification Number (VIN) and certain Personally Identifiable Information (PII).

Also in January, DataTouch LLC announced the launch of VINAnonymize, a new technology that prevents collision repair estimate information from being used by vehicle identification number (VIN) reporting services such as CARFAX and AutoCheck. In addition to VINAnonymize, DataTouch offers Data Analyzer and Data Auditor for use by collision repairers to secure PII and repair data to meet regulations and protect repair data from being sold.

These early-stage solutions represent encouraging start but still require broad industry adoption to make a real impact.

For auto insurance carriers, these and other future data privacy regulations could represent an obligation to protect the private information of policyholders and ensure that their auto claims supply chain partners are adhering to all federal and state laws – no small certification compliance challenge. However, pro-active industry support and greater compliance would engender greater trust and loyalty form policyholders.

For collision repair facilities, this recent growth in state privacy regulation highlights the need for end-user license agreements and data collection/use consumer disclosures sooner rather than later, if not already in place. As custodians of PII, collision repairers who take additional care to protect it can elevate their brand and reputation among auto owners.

For information providers and other supply chain partners, while their exposure and risks relative to existing and emerging privacy laws may currently be opaque, what is crystal clear is that this is an opportunity to be on the right side of regulators, consumer advocacy groups and the ultimate customer of every company involved in the auto insurance and claim process – the policyholder.

For those information providers who traffic in the unauthorized use of PII, including claims data, to produce vehicle history reports, now would be a good time to develop an alternate business model, one which complies with the spirit, intent, and requirements of this growing amount of data privacy regulation. Failure to do so could cost more than it is worth.

About the Authors

Stephen E. Applebaum, Managing Partner, Insurance Solutions Group, is a subject matter expert and thought leader providing consulting, advisory, research and strategic M&A services to participants across the entire North American property/casualty insurance ecosystem focused on insurance information technology, claims, innovation, disruption, supply chain, vendor and performance management. Mr. Applebaum is also a Senior Advisor to Waller Helms Advisors.  WHA is the premier investment banking boutique focused on the crossroads of the Insurance, Healthcare and Investment Services sectors.

Stephen is a frequent chairman, guest speaker and panelist at insurance industry conferences and contributor to major insurance industry publications and has a passion for coaching, mentoring, business process innovation and constructive transformation, applying disruptive technology, and managing organizational change in the North American property/casualty insurance industry and trading partner communities. He can be reached at [email protected].

Alan Demers is founder and president of InsurTech Consulting LLC, with 30 years of P&C insurance claims experience, providing consultative services focused on innovating claims. After initiating and leading claims innovation at Nationwide, Demers collaborates in the forefront of InsurTech, partnering with insurance leaders, startups, design thinking experts and service providers to modernize personal, commercial and specialty claims.

As Vice President of Claims Innovation at Nationwide, Alan conceptualized a vision and road map to build next-generation claims, automating and digitizing claims experiences, progressing from inception through prototype testing. He served as a founding member of the Corporate Innovation Council and played a key leadership role in establishing goals, practices and an innovative culture at Nationwide.

Alan is an accomplished executive leader and has worked for two separate Fortune 100 insurance companies in a number of corporate, national and regional leadership roles among personal, commercial, non-standard and specialty lines claims. Prior to leading claims innovation, he served as head of claims for Nationwide’s commercial agribusiness and non-standard claims. Other noteworthy roles include: field vice president, regional claims officer and national catastrophe director, quality assurance director.

Alan began his career with Aetna as a claim adjuster and advanced to a corporate claim consultant, prior to joining Nationwide in 1995.