Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate: exploitation status is unconfirmed and attack vector unknown, but SSNs and driver's license numbers are confirmed exposed — high-value PII with a well-established secondary market for identity fraud, meaning downstream misuse is probable regardless of whether the initial actor is active. Impact is high: the exposed data categories are sufficient alone to enable synthetic identity fraud, tax fraud, and account takeover against named individuals; Wright-Ryan faces regulatory exposure under Maine's breach notification statute; and organizations that shared workforce PII with Wright-Ryan as a contractor or vendor face secondary notification obligations and reputational liability.
Treatment rationale: The exposure is confirmed and the harm pathway (identity theft, regulatory breach notification, third-party secondary liability) is active regardless of attack vector uncertainty, requiring immediate containment and notification actions rather than acceptance or transfer as the primary posture.
Third-Party / Supply-Chain Risk
Per NIST SP 800-161 third-party risk framing: Wright-Ryan functions as a contractor/subcontractor node in construction project supply chains. Organizations that transmitted employee or contractor PII to Wright-Ryan — for payroll, benefits administration, bonding, or compliance purposes — are exposed as downstream data principals. Those organizations may hold residual notification and remediation obligations for affected individuals whose PII transited Wright-Ryan's environment. Vendor PII-sharing agreements and data processing addenda with Wright-Ryan should be reviewed immediately to determine scope of shared custodial responsibility.
Loss Exposure (illustrative)
Magnitude: Moderate to high — illustrative $250K–$2M for a directly affected organization, driven by notification costs, credit monitoring obligations, regulatory response, and potential third-party claims; higher end applies if significant workforce PII was shared and secondary notification obligations are confirmed.
Frequency: Single realized event for directly affected individuals and organizations; ongoing secondary-loss frequency elevated for 12–24 months post-exposure due to identity fraud lifecycle of SSN-class PII.
Annualized: Illustrative — for a third-party organization with confirmed PII sharing with Wright-Ryan: annualized exposure approximates $50K–$300K when amortizing single-event costs plus elevated fraud-monitoring and potential litigation tail over a 24-month window.
Basis: Magnitude derived from breach-response cost components typical for SSN/driver's license class PII: per-individual notification and credit monitoring services, regulatory response effort, legal review, and reputational response. Frequency reflects the realized nature of the exposure (not hypothetical) and the extended fraud-exploitation window associated with government-identifier categories. No third-party actuarial data cited. Figures are illustrative constructs, not sourced from any industry benchmark report.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• SSN and driver's license exposure may invoke state breach-notification obligations under Maine's Notice of Risk to Personal Data statute and analogous statutes in states where affected individuals reside — verify with counsel.
• Third-party organizations that shared workforce PII with Wright-Ryan may face independent notification obligations as co-custodians of that data — verify with counsel.
• PII exposure of this category may trigger cyber-insurance incident-notice requirements and potentially a first-party or third-party liability claim — verify with broker and counsel before assuming coverage applies.
• Contracts between Wright-Ryan and client organizations or subcontractors may contain data-security or breach-notification clauses that create civil liability — verify with counsel.
