Whiting-Turner

The Whiting-Turner Contracting Company operates as a construction firm headquartered in the United States, providing general contracting and construction management services. Its business involves overseeing building projects across various sectors, which necessitates employing a workforce and administering associated human resources functions, including benefits and payroll. To support these operational needs, the company engages third-party vendors for specialized services such as tax preparation and healthcare benefits administration, which involves the transfer of sensitive employee and dependent information. This practice of outsourcing certain data processing tasks is common among employers managing complex benefits programs. The organization's core market is domestic construction, serving clients within the United States through its contracting operations. Its identity as a contracting company is consistent across its known aliases, indicating a long-standing presence in the building industry.

A documented cybersecurity incident from March 2016 illustrates the data risks associated with its vendor relationships. Whiting-Turner was notified that a tax preparation vendor experienced suspicious activity, potentially compromising confidential information submitted for employee tax and healthcare filings. The exposed data included employee names, Social Security numbers, wage details from W-2 forms, and dependent information from 1095 healthcare forms, encompassing both minors and adults. Upon learning of the vendor's incident, the company immediately restricted access to the vendor's systems and launched an investigation to determine the extent of unauthorized record access. This response demonstrates a procedural approach to vendor-related data breaches, including containment and forensic efforts. The incident notification to employees confirms the company's role as a data holder responsible for safeguarding personal information, even when processed by external parties. The types of data involved—tax identifiers and health-related dependent details—reflect the breadth of personal information handled through its benefits and payroll vendors. While the specific outcome of the investigation was not detailed, the event highlights the cybersecurity challenges faced by organizations that rely on third parties for sensitive employee data processing.