The Posillico, Inc. data breach that occurred in December 2025 has highlighted a growing concern that construction and infrastructure companies have increasingly become custodial entities for sensitive personal information on their employees and other individuals as a result of conducting business activities.

Historically, construction industry stakeholders did not consider themselves to be data-driven entities. The primary assets were the physical assets of the project, such as construction equipment, material and construction sites; however, with the digitisation of onboarding and supply chain operations, construction stakes are now able to upload large volumes of employee and contractor files into centralised storage systems, including payroll records, social security information, etc.

As indicated in the release by Posillico, Inc. (a New York-based environmental and construction services company) the breach has affected approximately 10,000 individuals and the incident involves the potential for the exposure of sensitive personal information, including Social Security numbers. In this case, notification processes followed established regulatory guidelines for breach notification, which further illustrates that construction industry organisations can also be impacted by cyber incidents similar to those affecting more traditional "data-heavy" industries.

Construction firms are required to keep record of their employees' information including, but not limited to, background checks, safety certifications, payroll documentation, and records of compliance with safety regulation for a period of time following termination of wages. This is particularly prevalent in regards to public works and environmental remediation projects. The extensive nature of these operational requirements leads to the retention of sensitive personal data that may be used even after the employee has left the firm.

In addition to that, many construction companies now use cloud technology and third-party software to manage Human Resources, Accounting, and Project Coordination. While the use of this technology and software increases efficiencies of various job sites and business units; it adds additional platforms to access, manage and store personal information about employees. For large firms or those that operate in multiple areas of the country, managing user access and monitoring these systems can be quite difficult.

In addition, the way that a construction company's workforce is structured creates an additional level of complexity when it comes to managing user access and monitoring the use of sensitive personal data. Most construction workers are a blend of full time staff, subcontractors and temporary workers. As projects are started and completed, employees will have access to these systems change frequently; therefore, it is important that firm maintains and provides consistent access controls and monitoring for the protection of all sensitive personal data. Additionally, if a firm does not have a central place for its employee data, i.e. a Central Repository, maintaining consistent data-security practices among all users and systems will be a difficult task.

Cybersecurity has historically not been a priority in the construction industry, with a focus instead on safety compliance, insurance coverage and project delivery. Events that involve unauthorized access to digital systems highlight that digital risks are becoming an operational issue. Breached personal identifiers, if exposed to the public, will be very difficult for the affected person to recover from, potentially resulting in long-lasting ramifications for the persons involved.

Construction companies are modernizing and becoming, in addition to builders of physical structures, keepers of a wide range of sensitive personal data. The industry must now figure out how to adapt internal controls and governance methodologies to account for its dual role as builder and custodian. In an environment where digital systems are now an integral part of construction operations, the issue of data protection has transcended technology to become a core business obligation.