May 3, 2018—The Automotive Service Association (ASA) warned shop owners at the end of April that some third-party vendors with whom collision and mechanical shops do business with might be reselling their customer’s data to other third parties.
Scott Benavidez, owner of Mr. B’s Paint & Body Shop and ASA board member, encountered a situation in which estimate data was unknowingly shared with CARFAX within 48 hours of the estimate being created.
Benavidez has not determined who has shared the data, and shop management systesms denied reporting information to CARFAX. Yet, he said data reselling in this case affected the customer’s vehicle value by approximately $3,000, which angered the customer significantly and demanded to know why Benavidez’s shop shared the information without his consent.
Almost everything related to the customer’s personal information like personal contacts, appointments, addresses and age is at risk of being shared, Benavidez said.
ASA has developed a Data Security Policy Agreement for shops to have vendors sign in an effort to protect consumer data. The document outlines that all data provided to outside vendors is owned by the shop and does not grant authority to share, sell or repackage the data without the consent of the shop.
“Before, just having the authorization to work on [the customer’s] car was enough,” Benavidez said. “Now we are responsible for their personal information and without their permission to use it, we could be set up for litigation.”
As Ratchet+Wrench's sister publication, FenderBender, reported in the past, Hala Furst, cybersecurity liaison for the U.S. Department of Homeland Security (DHS), hopes small businesses will realize the importance of cybersecurity: Roughly 54 percent of security breaches are caused by human error.
According to Furst, shop owners can use these resources to protect their shop from breaches in cybersecurity:
The National Vulnerability Database provides documents and processes that show how to assess your shop’s network security.
A shop can join an Information Sharing and Analysis Organization (ISAO), in which businesses share and respond to cyber risks in real time.
The Critical Infrastructure Cyber Community Voluntary Program through the U.S Department of Homeland Security, provides members a toolkit that outlines the cyber security threat landscape, an outreach and messaging kit and a resource guide for ensuring cyber daily protection.