Post-Quantum Cryptography

Harvest now, decrypt later: a file stolen in 2026 is still a breach in 2040

A will drafted this year may be read for the first time in 2055. A trust structure set up today will still be private in 2045. A matrimonial file closed next month must stay closed for the client's lifetime. Your duty of confidentiality has no expiry date. That single fact is what makes a specific attack — harvest now, decrypt later — a professional-conduct problem rather than an IT abstraction.

The attack, in three sentences

An adversary intercepts and stores your encrypted traffic today: portal sessions, email, file transfers. The data is unreadable now, so nothing appears to have happened. When quantum computers capable of breaking RSA and elliptic-curve encryption arrive, the stored ciphertext is decrypted retrospectively — and everything it contained becomes readable, on a date of the attacker's choosing.

This is not speculation from the security industry's marketing department. The NCSC's white paper on preparing for post-quantum cryptography describes "a risk from an attacker collecting and storing data today and decrypting it at some point in the future", and notes such collection is worthwhile precisely for high-value data with long confidentiality lifetimes. The joint US guidance from CISA, NSA and NIST said the same in 2023 and told organisations to start inventories and vendor engagement then.

Match the threat to your filing cabinet

Run the confidentiality lifetime of ordinary matter types against the plausible arrival window of a cryptographically relevant quantum computer, and the picture organises itself.

Probate, wills and trusts — confidential for decades, often past the client's death. Family and matrimonial — a lifetime. Corporate and M&A — years, but the damage from disclosure is concentrated and quantifiable. Tax planning — a client's professional lifetime. Audit working papers and advisory files — long enough. Every one of these outlives the encryption protecting it in transit today. That is the whole point of the attack: it targets the gap between how long your encryption lasts and how long your secrets must.

Legal professional privilege sharpens it further. Privilege belongs to the client and endures. Encryption with a published end-of-life raises an uncomfortable question for any firm promising lifelong confidentiality — not because using RSA today is a breach (it is not; it remains the current norm), but because the reasonableness of relying on it without a migration plan erodes as the published timetables advance. The SRA Code's paragraph 6.3 duty — current and former clients — is the standard that question will be measured against.

The part that is already fixed, and the part that isn't

Some good news, honestly stated. The browser layer is migrating ahead of everyone else: Cloudflare reported in 2025 that more than half of human web traffic it serves already uses post-quantum key agreement. If your client portal sits behind a modern CDN, its transport encryption may already be quantum-resistant. You did nothing; the vendor moved.

The laggards are everything else: email in transit between older servers, VPNs, line-of-business applications, e-signature platforms, and — the category nobody owns — archives and backups. A backup tape encrypted in 2020 under RSA does not benefit from your CDN's upgrade. Neither does the export a departing employee took, or the traffic captured off a hotel network in 2024.

What a proportionate response looks like

Not panic, and not procurement. Three moves.

Classify by lifetime, not by system. One column added to your matter-type list: how long must this stay confidential? Anything beyond 2035 is in scope for the earliest attention — that is the NCSC's own completion deadline for migration.

Ask the harvest question of your vendors. Not just "when will you support the new standards" but "when is data in transit to and from your service protected by post-quantum key agreement?" — because harvest-now attacks are defeated by fixing key exchange first. Vendors that have done it can name the date they switched.

Write the position down. The breach that surfaces in 2040 will be judged by what was reasonable in 2026. A dated, one-page record — here is what we hold, here is how long it must stay confidential, here is what we asked, here is what they answered — is the artefact that converts hindsight into a defence.

The files most worth stealing from your firm are the ones that must stay secret longest. The attacker who wants them does not need to break your encryption. He only needs to wait for it to expire — unless, between now and then, your suppliers moved and you can prove you checked.

Sources

  1. NCSC, Next steps in preparing for post-quantum cryptography — rev. 10 Apr 2026 (retrospective-decryption risk framing).
  2. CISA / NSA / NIST, Quantum-Readiness: Migration to Post-Quantum Cryptography — 21 Aug 2023.
  3. NIST, FIPS 203 (ML-KEM) — 13 Aug 2024.
  4. NCSC, Timelines for migration to post-quantum cryptography — 2028 / 2031 / 2035 milestones.
  5. SRA, Code of Conduct for Solicitors, para 6.3 (duty to current and former clients).
  6. Cloudflare, State of the post-quantum Internet in 2025 (>50% of human web traffic on PQ key agreement).

Which of your matter types outlive your encryption? The ASIMOV Audit's security domain maps confidentiality lifetimes against your supplier posture.

Book an AI Risk Diagnostic