Say it’s an average day at your shop when a customer arrives early and lounges in the lobby while they wait for their car. Nothing seems out of place, until days or weeks later when you realize your network’s been hacked using the shop’s Wi-Fi, and countless customer data points have been compromised and shared across the web.
That scenario may sound extreme to most repair shops, but as vehicles become more technologically advanced, shops are slowly gaining access to more data than ever before (especially with the passage and eventual deployment of the Right to Repair bill). And with all of that much coveted data could come much more responsibility to protect the information a shop has gathered.
For more insight on the changing legal landscape of data liability and tips shop owners can use to prepare, Ratchet+Wrench spoke with William Ferreira, lead attorney for the California-based Automotive Defense Specialists, a law firm representing auto repair facilities and technicians on a variety of legal needs.
As told to Megan Gosch
Use this time to get ahead.
Right now, shops are mostly grabbing personal and mechanical data points from customers and through access to specific diagnostic information, but there really are no major nationwide laws for how businesses like repair shops need to protect the data they have.
Any rules in place that shop owners need to abide by are being set individually on the state and local levels and they’re across the map as to what they cover, but once manufacturers are eventually required to share their mechanical data through Right to Repair, I expect we’ll see some sort of nationwide legislation created to set a consistent standard. Until we know what data will be disclosed by the manufacturer or that the vehicle has to offer, I don’t expect national requirements will be set in stone, and we won’t know what data will be disclosed until the cases brought against Right to Repair finished.
Honestly, the whole thing could take years and, even then, once they hand over the data, it’s likely be a raw data dump that’ll overwhelm shops with so much info they won’t know how to analyze it, so we’ll see delays in actual shop use of this data while they try to figure out how to make sense of it all.
Brush up on the basics.
The good news is that in the meantime, shops are generally being held to a reasonable standard, meaning they’re being evaluated on the question of ‘what’s a reasonable level of accommodation a repair shop can be expected to make to protect its data with the information available to them.
Is it reasonably foreseeable that a shop is sued because an ex-husband was able to access the shop’s files and use data points from the car’s GPS to track down his ex wife? Probably not, but it could be a reality with the data that could be in a shop’s hands once this data opens up.
That being said, a reasonable standard would include covering the basics we’ve all been hearing about for years when it comes to avoiding a potential breach: secure Wi-Fi, secure networks, password encryption on important files, management of server redundancies and possibly moving data from a general server to an offline server, etc.
Limit your share points.
No matter the level of security you’re required to uphold based on the state you live and operate in, you want to keep access to any personal data on a need-to-know basis. For instance, it makes sense to give your mechanic access to someone’s data in order to analyze what’s going on with the car and potentially any issues it’s had in the past, but should the guy who sweeps the floor have the same login access to shop systems? I’d say no. You want to limit that access to staff you trust to use that data reasonably and with care.
With customers you also want to be safe in confirming your authorization to disclose information to anyone outside the shop. A good practice to put in place is creating some form of written authorization, maybe a signature on the invoice, to confirm who you’re able to share details with.
Be transparent.
Remember when Target had its big breach back in 2013 and wasn’t the first to break the news to customers? You want to be checking for a breach regularly and have a plan in place if you need to let a customer know his or her information’s been compromised.
Right now, for smaller companies, there’s generally not a ton of blowback legally when a breach happens but I’d expect to see requirements down the line with the data Right to Repair might unleash.
Cover your bases.
When clients come to me and ask if they really need that data liability insurance piece of their policy I always say “Look, what is it? Five dollars per month?” It’s worth it to have that rider and protection under weird circumstances like a breach.
Unfortunately, we live in a world where even if there aren’t significant damages and no one’s been physically harmed, there's always going to be some plaintiff's attorney that will help sue a repair shop for something like an unauthorized data breach—even if the shop did nothing wrong and had strong security measures in place. Without insurance there may be enough there for an attorney to make your life miserable and bleed you dry.