What General Counsel Need to Know About Quantum Computing

Technology and law must adapt as innovations emerge. It’s a cycle we’ve witnessed from the dawn of the internet to the rise of generative artificial intelligence. Success favors organizations that anticipate these shifts. While identifying the next “big thing” is often difficult, mathematicians have already clarified the trajectory of the next major technological disruptor: quantum computing. It’s time for in-house legal teams to get ahead of this transition and mitigate potential cybersecurity risks.

What is quantum computing?

Standard computers rely on binary logic, processing strings of 0s and 1s. However, at the particle level, nature operates probabilistically. Quantum computing leverages this by using quantum bits (qubits), which allow for calculations far beyond the reach of traditional human logic.

Currently, a global race is underway between tech giants, labs, and governments to build sophisticated quantum machines. While scaling qubits remains a massive engineering challenge, the “quantum era” is approaching quickly. Google projects powerful quantum systems by 2029, while more conservative estimates anticipate quantum supremacy by the mid-2030s. Businesses and attorneys who prepare for these implications now can avoid significant future disruption.

Why does quantum computing matter?

Although quantum computing hardware is still under development, much is already known about this technology’s capabilities. Mathematicians have developed several algorithms that would allow a quantum computer to quickly solve problems that are effectively impossible for classical computers, like the ability to rapidly factor large numbers. The difficulty of factoring undergirds standard encryption protocols. In plain terms, powerful quantum computers will disrupt the security of information transfer and storage.

This risk is applicable to a broad range of data—even data that is encrypted before an entity creates a quantum computer powerful enough to bypass current encryption protocols. Cybersecurity professionals warn that criminals could already be carrying out harvest now, decrypt later (HNDL) attacks. They are accumulating and saving encrypted data now to cause damage or profit once quantum decryption becomes an option.

What should legal departments consider?

Although the emergence of quantum computing and decryption will certainly cause issues, it is not a problem without solutions. The National Institute of Standards and Technology (NIST) has released several “post-quantum” cryptography standards and is actively encouraging migration to them. For most organizations, software and technology providers will take on the heavy lifting in making secure encryption available (e.g., Microsoft has already built post-quantum cryptography libraries into new Windows Servers).

At this stage, general counsel and IT leadership should begin to understand how their organizations use encryption and develop a transition plan. Think about the sensitivity lifecycle of data your organization encrypts. For example, most banks will reissue credit cards in three to five years. Loss of credit card data to an HNDL attack might be less consequential than the compromise of a secret proprietary recipe that makes a company’s product unique. In a decade, the credit card data will have expired, but the secrecy of the recipe could still be mission-critical.

Over the next few years, as your organization evaluates or renews technology and software contracts, ask associated vendors whether they have adopted post-quantum cryptography protocols or have concrete plans to do so. Even if older business activities and information are compromised, the sooner you transition to quantum-proof technology solutions, the more valuable the data will be once quantum computing arrives.

You can immediately mitigate risk to your organization by conducting a thorough data inventory to determine what sensitive data or personal information you presently maintain. Through this process, many organizations will discover that over time they have accumulated sensitive data that no longer needs to be saved. Companies that delete data they no longer need and implement controls to evaluate and repeat this process on a rolling basis, decrease their potential liability in the face of quantum decryption and data breaches generally.

Quantum computers and decryption will cause disruptions, but businesses that proactively adopt post-quantum encryption will be better positioned to weather the quantum storm when it arrives.