agrrfpo.tif (135164 bytes)

Volume 7    Issue 2            March/April 2005

INFORMATION LEAK
Computer Access Concerns Some Glass Shops
by Les Shaver

When Linda McCabe, president of American Patriot Glass in Islip, N.Y., hung up the phone after talking to the sales representative from Glaxis, she was startled. The salesperson had called to convince her to switch from GlassMates, which is owned by National Auto Glass Standards (NAGS), to Glaxis, which is owned by PPG. Being a PPG ProStars shop she decided to listen. But during the sales pitch, she began to realize just how insecure her company’s vital and very private information could be. With Glaxis or GlasPac Total Solutions (GTS)—both connected with PPG Industries—hooked into her computer, the conspiracy theories began to pop up in her head. Could PPG and LYNX gain access to her company’s most private financial information, such as overhead, buying prices, selling prices and lists of vendors from whom she buys?

“They can look at what you’re charging and how many jobs you’re doing,” McCabe said. “They can control how many jobs you get. They can control how much business they give you. They can see the full picture. In the health fields, there is a lot of privacy. Where is the privacy in this area for small businesses?”

McCabe isn’t the only glass shop owner around the country with these questions. Many worry specifically about GTS because of its PPG-, LYNX- and ProStars-connections. But they also worry about information getting from any point-of-sales system into the wrong hands. So far, no one knows of anything happening and all of the point-of-sale software (POS) providers say they have confidentiality agreements, but some retailers are still taking steps in case this situation occurs. 

What’s the Fear?
To put it simply, your computer is both the brains and the lifeblood of your company. In it, you keep just about everything: your sales receipts, purchasing records, overhead figures, personnel costs and many, many other vital pieces of information. 

“My concern is that a software provider can be in our system and have access to all of our information,” said Dick Karbon, a principal with Klein-Dickert Co. Inc. in Madison, Wis.
Others also see many ways the systems could be abused. 

“The possibilities are widespread,” said Dave Taylor, secretary/treasurer of Cindy Rowe Auto Glass in Harrisburg, Pa. “You could sit here for ten hours and think of things that could go wrong. These people have access to everything about you. They have the ability to get into your computer system. That gives them lots of opportunities.”

But this information could prove even more valuable to one of your biggest suppliers or customers. Imagine, for example, that the distributor or manufacturer who sells you glass finds out that you’re not buying as much as they think you should from them. While this may mean nothing, it could also mean problems. They could raise the discounted rates you enjoy if you don’t purchase more from them. 

“The software provider can see every sales price and every company that we purchase from,” Karbon said. “If you don’t buy the bulk of your glass from one manufacturer, they know that.”

Or what if one of the networks with which you work gets your pricing for the other networks (or worse yet, your cash prices) and it’s lower than what you charge them? The network could demand lower prices or cut the work it gives you. 

“They could know the volume of business you do with their competitors,” Karbon said.
While many of these scenarios are of the doomsday variety (at least in the auto glass world), they are enough to keep some shops concerned about exactly who has their company information. And, many shop owners say it’s an issue with all of the POS software companies. 

“It’s a possibility with any [POS] company,” Taylor said.

The particular arrangement that draws the ire of most shops is that of PPG Industries in Pittsburgh and GTS. In 2000, PPG bought GTS, a large POS provider, to the alarm of many in the industry who were concerned that their confidential buying and selling company information could get in the hands of PPG, a major supplier, and LYNX, which doles out network jobs. When Karbon, who used GTS at the time and still does, heard about this he said he was upset, even confronting a GTS representative about the issue. He still has concerns, but not enough to change systems.

“You have an entity like PPG that manufactures, distributes and wholesales glass,” Karbon said. “They also have electronics through LYNX. Then they have GTS that provides software. They have total integration into the industry and are trying to make money off each entity that touches the auto glass industry. That’s good for them but it sure does give me reason for skepticism as to whether there could be mishandling of some of these things. But I have no evidence this has occurred.”

Anecdotal evidence says others have the same concerns. Both Mark Haeck, sales manager with Mainstreet Computers Inc., a POS software provider in Belleville, Mich., and Terry Miller, vice president with Quest Software, Inc., a POS software provider in St. John’s, Mich., say their business has increased since PPG bought GTS.

“People don’t like PPG knowing everything about their business,” Haeck says. “PPG owns software and glass. Not too many people want them to have all of their information.”

Retail Paranoia?
While Karbon and other glass shops are always looking at the possibility that their information could be misused, they acknowledge they have not noticed any wrongdoing. 
“I have no evidence that they ever used any of this information for any purpose other than what it’s intended,” Karbon said. “I don’t know that we want to blow it out of proportion, but yet we have to be conscious of it.”

For every Karbon and McCabe, though, there are others who don’t think their information is in danger. James Horrox, chief operating officer for The Stockton Glass Group in Stockton, Calif., and Paul Heinauer, president of Glasspro in Charleston, S.C., say that the issue of the confidentiality of the information on their computers was something they never even considered.

“I don’t worry about that a whole bunch,” Heinauer says. “I sometimes wonder if I’m being naive, but it’s just not something I think about.”

Even Karbon, who has thought and raised concerns about the issue of privacy, realizes there is a lot of auto glass paranoia out there, which, in the past, has also been aimed at networks, Safelite and NAGS. 

“This is a very conspiratorial industry,” Karbon said. “People sometimes fabricate things in their mind and are concerned about this. This industry is very paranoid.”

For their part, each software company says there’s nothing to be concerned about with their particular systems.

“GTS remains fully committed to the policy of safeguarding customers’ confidential business data,” said Mary Ann McCollough, director of marketing for the automotive aftermarket section of PPG Industries.

GTS actually has two different systems for glass shops, one offering more access than the other.

“If the customer system resides in a “hosted environment” at GTS, the agreement expressly defines the confidentiality obligations of the customer and GTS [which clearly stipulate the limitation to utilize the data only to support customer technical needs],” McCullough said. “If the system resides at the customer site, GTS personnel have extremely limited access to customer data, and will only log onto their system with customers’ permission or at their request, and only to focus on customer technical support issues. If, in the course of performing tech support duties, GTS personnel encounter confidential business information, it is the GTS policy/practice to only communicate relevant information needed to provide technical support to customers. In summary, the practice is to limit the communication of confidential information from customers, unless permission is received from customers to do so.”

While other companies aren’t under the same microscope as PPG, they also have access to the confidential information for glass shops. And some also do work for insurance companies. Quest, for instance, provides glass administration programs to insurance companies. Miller says this is not an issue.

“From our standpoint, there’s absolutely nothing for us to gain by sharing the information [from glass shops],” Miller said. “We have very strict privacy paragraphs and confidentiality paragraphs built into the contracts with our carriers. We also have confidentiality contracts with those that utilize us for EDI [electronic data interchange]. So it’s never a consideration on our part.”

And selling this information is also a non-issue, according to Miller.

“We wouldn’t have any reason to and certainly would be legally bound [to keep] from selling the information [from glass shops] to anyone out there,” Miller said. “That would certainly be foolish. To provide that information has no financial gain for us. It wouldn’t make any sense for us to do it. If somebody is billing State Farm at a certain price, I’m legally bound not to provide that information to somebody else.”

Mainstreet says it doesn’t even get access to the information on a user’s system.

“They have full control of their information,” Haeck says. “Other than processing their EDI, we don’t do anything with it. Any of our programs that communicate with other software/vendors, gives out the necessary relative information to that vendor. We don’t even give out our customers’ names to others unless they have agreed to being on our reference list.”

IBS in Kansas City says it’s the only company that doesn’t receive EDI invoices from its customers. Instead it sets up a way for its customer to send their EDI information to a mailbox service. The company also has a clause in its sales agreement that protects a shop’s information.

“Both parties acknowledge that during the course of this contract, each may obtain confidential information regarding the other party’s business,” said Kyle Kryger, president of the company. “Both parties agree to treat all such information and the terms of this contract as confidential and to take all reasonable precautions against disclosure of such information to unauthorized third parties during and after the term of this contract. Upon request by an owner, all documents relating to the confidential information will be returned to such owner.”

Steps To Take
Even after assurances from Haeck, Miller and McCollough, some glass shops still may be wary of the access their POS software providers have to their computer. While it’s very difficult to limit that access, some shop owners do have suggestions.

Mary Birkl, an owner at Ossi’s Auto Glass in Cockeysville, Md., suggests owners who still use a modem just turn it off at night. Karbon, who has a number of locations, actually had his information technology team look at ways to monitor his POS provider’s access. He hasn’t done anything yet, though.

“My computer people can block them by not letting them in unless someone is looking over their shoulder,” he said. “We could have someone literally monitor every step they take in our computer system. We’ve discussed it, but I don’t know that we’ve implemented it.”

There are even minor steps some shops have taken to protect information they consider confidential or important. Larry Swetz, owner of A Touch of Glass in Uniontown, Pa., refuses to list the insurance agent that assigned him a particular job on his invoices. The reason? He’s scared that a network that’s aligned with a big retailer may pass the agent’s name on to their retail division and he will lose business. 

“I leave the name and number of the insurance agent blank,” Swetz said. “They could pull the invoice and go to the agent. It’s not necessary to include everything.”

Regardless of the steps you take to protect your company’s confidential information, you must eventually have trust in your POS provider because it’s hard to cut off every access point. 

“Your POS software provider is your partner,” Taylor said. “You have to have trust in them and you have to believe in them or you shouldn’t have them as your software provider.”

While Taylor is idealistic about the partnership, he’s also pragmatic. 

“You need to back your trust up with a confidentiality agreement,” Taylor said. “It, at least, gives protection and the ability for redress if you are harmed by a breach of confidentiality.” 

Protecting The Consumer 
While identity theft and credit card fraud is the consumer crime on everyone’s mind, with groups from the Federal Trade Commission to credit card companies warning about it, many glass shops are still figuring out how to conquer the pre-technology consumer problem: bad checks.

After attending a seminar conducted by a special investigations officer in the Stockton, Calif., police department, James Horrox, chief operating officer for The Stockton Glass Group in Stockton, Calif., decided to take action. In the seminar, the officer warned local business owners that the department would not even investigate cases unless businesses got a customer’s thumbprint on their check. That caused Horrox to make the $2-$3 investment for a small inkpad for thumbprints. 

“We require every customer paying by check to give us a thumbprint,” he said.

Even though the company hasn’t had a problem with bad checks, Horrox still thinks it’s the right move. 

“We prefer to be safe rather than sorry,” he said.

Mary Birkl, an owner of Ossi’s Auto Glass in Cockeysville, Md., went a step further. After many experiences with bad checks and increasing costs from a company that researched check writers, she decided her company would no longer take checks. The final clincher for her was when other local business quit accepting checks. 

“As long as there’s other businesses not taking checks, we feel fine about it,” she said.

While some business owners are also concerned about customers using bad credit cards, Horrox doesn’t think that’s an issue in the glass industry. 

“This is not a market where things are being stolen with bad credit cards,” he said. “People have better uses for them than buying windshields. Buying a windshield leaves a long information trail.”

Taking on the Big Guys
Keeping sales information confidential is a problem that is not limited to computers and software. Scott Harkey, president of Windshield Glass in Greensboro, N.C., went toe-to-toe with an insurer regarding the replacement of a Lexus windshield. In Harkey’s case, the insurer, which accepts “reasonable and customary” pricing guidelines, requires proof of cost. The catch: the proof of cost must be submitted through the insurer’s glass claims administrator, which is owned by a large, competing glass company.

Harkey, not wanting to divulge his costs to his competitor, refused. The insurer then refused to pay the claim. 

“This is a battle we chose to fight,” Harkey told AGRR magazine in a telephone interview.

With the customer aware of the situation, Harkey submitted his proof of purchase to the glass claims administrator, showing the dealer list price but covering up his actual cost. The administrator refused to pay, so Harkey called the vice president of claims at the insurance company.

When the insurance company also refused to authorize payment, Harkey threatened to file a suit in small claims court.

Though it did not come to that, Harkey did submit a letter to the insurance company in October detailing his costs and requesting that the insurance company not share the information with their glass claims administrator.

“And they haven’t, as far as I can tell,” he said.

However, they did finally agree to pay the full cost of the replacement, albeit directly to the insured customer. Harkey received a letter from the insurance company earlier this week stating that the claim “will be handled on exception.”

Pleased with the outcome, Harkey doesn’t expect to have any problems collecting from his customer, nor does he foresee giving in to insurance companies that work with his competitor.

“If you’re told that as a condition of payment you have to surrender your costs to your competitor, that’s just not right or fair,” he said, stating that he signed no contract with the glass claims department or its parent company (the competitor).

“We’re a non-affiliated glass shop. We did not sign the contract with the administrator. We chose not to and it gives us better leverage when negotiating,” he said. 

He hopes others in the industry will learn from his experience.

“We’re going to see if we can promote changes to the way glass claims are handled. Glass shops of America, stand your ground. Don’t share your private cost information with your competitor. If enough shops do this, maybe something will happen,” he said.

Les Shaver is a contributing editor for AGRR magazine.


AGRR
© Copyright Key Communications Inc. All rights reserved. No reproduction of any type without expressed written permission.