The Entropy Podcast

Harvest Now, Litigate Later Quantum Exposure with Darren Bender


Listen Later

In this episode of the Entropy Podcast, Francis Gorman sits down with Darren Bender, a Texas-based attorney, chief legal officer, and co-founder working at the intersection of law, IT, and post-quantum cryptography.

The conversation explores a question many boards, legal teams, and security leaders are only beginning to face: when quantum computers threaten today’s encryption, who becomes liable for doing nothing?

Darren breaks down post-quantum negligence in practical terms, explaining why “we didn’t know” may not be a credible defence for much longer. From Harvest Now, Decrypt Later attacks to board minutes, data shelf life, migration timelines, DORA compliance, procurement decisions, and third-party liability, this episode reframes quantum readiness as more than a technical challenge.

It is a governance issue. A legal exposure issue. A fiduciary duty issue. And potentially, a future courtroom issue.

Key Takeaways

  • Post-quantum cryptography is no longer just a cybersecurity concern; it is becoming a boardroom and legal risk conversation.
  • Organisations may need to show how they assessed quantum risk, prioritised critical data, and documented informed decisions.
  • Board minutes, governance records, risk assessments, cryptographic inventories, and migration plans could become central evidence in future litigation.
  • “Cryptographic procrastination” may become difficult to defend if organisations knew about the risk but chose not to act.
  • The Mosca theorem helps boards think about whether their data shelf life plus migration time exceeds the timeline for a cryptographically relevant quantum computer.
  • The Learned Hand formula offers a legal lens for comparing the burden of prevention against the probability and magnitude of future harm.
  • Financial services, healthcare, energy, and critical infrastructure may be among the first sectors exposed to post-quantum liability.
  • DORA and similar regulatory frameworks may create either a defensive treasure trove or a litigation minefield, depending on the quality of the paper trail.
  • Supply-chain liability will be complex, with SaaS providers, cloud providers, HSM vendors, certificate authorities, and customers all potentially pulled into the same dispute.
  • Procurement teams should start asking not just whether vendors are secure today, but whether they can support post-quantum migration tomorrow.

Soundbytes

“Quantum risk is moving from the server room to the boardroom.”

“Harvest Now, Decrypt Later may become Harvest Now, Litigate Later.”

“The question is not just whether encryption breaks. It is who knew, who acted, and who documented the decision.”

“In a future lawsuit, the paper trail may matter as much as the technology.”

“Cryptographic procrastination is not a strategy.”

“Doing nothing may be the most expensive decision a board ever makes.”

“Post-quantum readiness is not a light switch. It is a long fuse with a big boom at the end.”

“If your data still has value when quantum arrives, your risk clock has already started.”

“DORA can be a treasure trove or a minefield. It depends what your records show.”

“Your vendors may hold the keys, but your organisation may still hold the liability.”

“Quantum readiness is no longer just about algorithms. It is about governance, accountability, and foreseeable harm.”

“The courtroom may become the place where quantum risk finally gets priced.”


...more
View all episodesView all episodes
Download on the App Store

The Entropy PodcastBy Francis Gorman