I recently bought a used infotainment system on eBay from a totaled vehicle. I quickly realized it was “Jack’s” voice.
Jack is the vice president of a regional bank. He lives in a $2.7 million house. He and his family’s social security numbers were stored in the device’s contact book, which was saved when he synced his phone to the device. It also included contact information for his company’s CEO, CFO, and General Counsel.
There was information about his bank and online accounts of all kinds, including multiple logins, PINs, and passwords. Text exchanges with colleagues revealed material non-public information about the bank he works at and personal details, all of which are good starting points for any attacker to launch a business email compromise or spear phishing attack.
Jack never realized that this information, which I immediately deleted, was in the open. His auto insurance carrier could have easily mitigated that risk while significantly improving compliance with a variety of federal and state laws by properly deleting this data before Jack’s car was sold.
A known risk
Automakers’ privacy policies show that many vehicles today can collect, store and transmit various categories of data that fall under the legal definition of non-public personally identifiable information (NPI or PI).
Automakers have admitted to the Federal Trade Commission that vehicles collect “sensitive personal information” such as driver geolocation, biometrics and behavior.
When vehicle users such as driver and passengers (including minors) connect their smartphone via USB, Bluetooth, CarPlay and other connected program, additional PI will be transmitted and stored in the vehicle’s infotainment system.
The technological content of vehicles, new state and federal laws, and the focus of regulators, the public, attorneys, and attorneys filing individual and class actions are all increasing rapidly. Consequently, insurance carriers need to be mindful of how to reduce both their own risk and that of their policyholders by managing the PI stored in vehicles.
The Legal Landscape
The US has a complex patchwork of more than 200 federal and state laws that govern the protection of consumer information, including data security, data disposal, biometrics, unfair and fraudulent acts and practices, and privacy laws. Insurance carriers are also specifically regulated in 39 states and Washington DC by the National Association of Insurance Commissioners (NAIC) Information and Privacy Model Act (Model 670) and the Standards For Safeguarding Consumer Information Model Act (Model 673).
The Model 670 privacy laws apply in 18 states of the District of Columbia. Affected companies must have adequate and reliable means to access, modify and permanently delete personal data upon request. This also includes vehicles.
Model 673 Information Safeguards states that covered organizations must take “reasonable technical and administrative measures” to protect PI from unauthorized or accidental disclosure. This applies to 33 states plus the District of Columbia. Any personally identifiable information collected by “direct or indirect means” is governed by these state laws, even if information is not used. This definition includes PI collected from vehicles. Transport companies are obliged to dispose of data that no longer serves a legitimate business purpose in these states, even if there is no consumer request as a data subject. Deletion must be done by default.
Rental cars and rental cars
Privacy4Cars regularly searches various vehicle portfolios. Rental vehicles consistently have the highest incidence of abandoned consumer PI, with nearly 99% of vehicles studied to date containing PI, often from multiple previous renters. All four leading rental companies were sued for failing to delete consumer PI after each rental, exposing user information to other renters, employees and unauthorized third parties. Two six-figure settlements have already been reached in related legal disputes.
Insurance carriers are among the largest buyers of rental car services. The increase in repair complexity and current parts shortages mean that average rental days per claim are increasing, resulting in higher costs, more PI for policyholders and higher risk. To limit their risk, P&C carriers should begin with rental providers deleting policyholders’ PI after each rental and requiring compliance records as a condition of doing business. Manufacturers recommend deleting PI. The National Institute of Standards and Technology NIST 800-88 Rev.1 states that data erasure is the minimum “reasonable security” data sanitization standard. Clearing PI from cars is the only way to achieve the “reasonable technical and administrative measures” required by the Model 673 laws.
Total write-off vehicles
Over 90% of the totaled vehicles surveyed by Privacy4Cars that were able to collect consumer data contained PI. The party responsible for protecting this PI is the carrier because if a total loss occurs and the damage is paid for, title to the vehicle will pass from the policyholder to the carrier.
At that point, the carrier becomes the owner of the vehicle and everything it contains, including the PI of the policyholder and their family members. As with any other electronic repository containing customers’ personally identifiable information, the carrier now has a fiduciary duty to protect it, even if the collection was unintentional. porters should Not Take this responsibility lightly, as the sale of devices containing consumer personal information can result in significant liability claims, as in the recent $60 million class action settlement against Morgan Stanley.
Fortunately, insurance carriers have several ways to mitigate this risk by requiring the deletion of PI from vehicles as part of their standard checklist before selling assets. This process can be carried out by experts, workshops, towing companies or car auctions in a short time and at a reasonable cost. Again, a consistent, standardized, and measurable process is key to demonstrating your compliance.
From duty to opportunity
Beyond legal obligations, hauliers can benefit from the protection of personal data collected from vehicles in at least two ways.
First, reducing their data footprint can reduce risk for their policyholders (e.g., many vehicles contain home addresses and garage door codes).
Second, discussing the protections you put in place when your policyholders need to rent or suffer a total loss can open an important conversation about data security, including additional protections you may offer (e.g., identity theft protection, cyber insurance) to reduce your customers’ risk.
Three devices in particular collect mountains of data from consumers: computers, phones and vehicles. By leading the conversation around privacy and security in vehicles, insurers can create a lasting impression of total care and offer unique value and security. Your policyholders will thank you.
Andrea friend ( [email protected]) is CEO and founder of Privacy4Cars. She is a leading authority on vehicle privacy and cybersecurity.