Home / Insights / Harvest Now, Decrypt Later: Why Law Firms Need Post-Quantum Encryption

Harvest Now, Decrypt Later: Why Law Firms Need Post-Quantum Encryption

By Jamie Kloncz, Founder, RankShield · Updated July 6, 2026 · Informational, not legal advice.

Post-quantum encryption matters to law firms because attorney-client privilege and trade secrets never expire. An adversary can steal encrypted files today and decrypt them years later once quantum computing catches up. This is a future risk being prepared for, not a present capability, but legal data with decades-long confidentiality is a prime target. NIST has finalized the standards firms will need [5].

The attack that targets permanent secrets

Harvest now, decrypt later (HNDL) is a strategy where an adversary records encrypted traffic or copies encrypted files today, stores them, and waits to decrypt them once quantum computing becomes capable. The data is unreadable at the moment of theft, so the breach can go unnoticed. What makes the tactic viable is patience: the attacker is not betting on breaking encryption now, but on breaking it later.

HNDL specifically threatens data with long confidentiality lifetimes. Information that must stay secret for a few weeks is a poor target, because the payoff arrives too late to matter. Information that must stay secret for a decade or more is an excellent target, because it retains its value long enough for the decryption capability to arrive. That timing mismatch is the entire premise of the attack, and it is why some categories of data are exposed while others are not.

Why legal data is uniquely exposed because privilege never expires

Legal data sits at the extreme end of the confidentiality-lifetime spectrum, which makes it a prime HNDL target. Attorney-client privilege and trade secrets do not expire. A sealed settlement, an M&A negotiation, an intellectual-property portfolio, or a long-lived dispute must stay confidential for decades, well past any near-term cryptographic transition window.

Consider what a law firm holds: privileged communications that remain protected indefinitely, trade secrets whose value depends on never being disclosed, and matter files that outlive the engagements that created them. An adversary who harvests these encrypted records today does not need to read them this year. They only need the confidentiality obligation to still be in force when decryption becomes possible, and for legal data that obligation rarely lapses. The duty to safeguard client secrets does not end when a matter closes, so the exposure window stays open far longer than it does for most other industries.

What NIST has done: standards and the 2030-2035 deprecation timeline

NIST has moved post-quantum cryptography from research into published standards. On August 14, 2024, NIST finalized FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA), its post-quantum digital-signature standards, alongside FIPS 203 (ML-KEM) for key encapsulation [5]. These are the algorithms organizations are expected to adopt as classical cryptography is phased out.

NIST has also set a transition timeline. In draft IR 8547 (November 2024), it indicates that RSA and ECDSA at the 112-bit-equivalent security level, such as RSA-2048 and ECC P-256, are to be deprecated after 2030 and disallowed after 2035 [6]. For legal data that must stay confidential for decades, those dates are not distant. Files harvested today are meant to remain sealed well beyond 2035, which places them squarely inside the window the timeline is designed to address. The standards exist now; the migration clock is the part that is already running.

What "quantum-safe" does and does not mean

"Quantum-safe" means cryptography designed to resist attack by a future quantum computer. It does not mean "quantum-proof," and the distinction is deliberate. A cryptographically relevant quantum computer (CRQC), one powerful enough to break today's classical encryption, does not exist yet. The threat is anticipatory: prepare confidentiality now so it survives the transition, rather than react after a capability arrives.

Two common points of confusion are worth clearing up. First, post-quantum cryptography (PQC) means algorithms like ML-DSA and SLH-DSA that run on ordinary computers and resist quantum attack [5]. Second, quantum random number generation (QRNG) and quantum key distribution (QKD) are separate technologies and are not PQC; they should not be treated as substitutes for the standardized post-quantum algorithms. When a firm evaluates "quantum" security claims, the relevant question is whether the vendor uses the NIST-standardized post-quantum signature and encapsulation algorithms.

How firms can start migrating legal confidentiality to post-quantum

Firms can begin by mapping which legal data carries the longest confidentiality obligations, because that is what HNDL targets first. Privileged communications, sealed settlements, trade secrets, and long-lived matter files are the highest priority, since their protection must hold well past the 2030-2035 window NIST has outlined [6]. Ranking data by how long it must stay secret turns an abstract quantum risk into a concrete inventory.

From there, the practical step is adopting cryptography built on the NIST-standardized post-quantum algorithms for the certifications, attestations, and records that must survive the transition [5]. RankShield Legal signs and seals certifications and attestations with post-quantum cryptography (ML-DSA and SLH-DSA) so that legal confidentiality holds against future quantum decryption. The goal is not to predict when a CRQC arrives, but to ensure that when it does, the firm's most durable secrets were never exposed to the harvest.

Frequently asked questions

What is harvest now, decrypt later?

Harvest now, decrypt later (HNDL) is an attack strategy in which an adversary captures encrypted data today, stores it, and decrypts it later once quantum computing becomes capable of breaking the encryption. The data is unreadable when stolen, so the theft can pass unnoticed. HNDL specifically threatens information with long confidentiality lifetimes, because that data still holds value when the decryption capability eventually arrives. Legal records such as privileged communications, sealed settlements, and trade secrets are prime targets, since attorney-client privilege and trade secrets do not expire and must stay confidential for decades, well beyond any near-term cryptographic transition.

Is quantum decryption possible today?

No. A cryptographically relevant quantum computer (CRQC), one powerful enough to break today's classical encryption such as RSA and ECDSA, does not exist yet. The risk is anticipatory rather than present: data harvested now could be decrypted in the future once such a machine is built. That is precisely why long-lived legal confidentiality needs attention today. NIST has already finalized post-quantum standards [5] and drafted a timeline deprecating classical algorithms after 2030 and disallowing them after 2035 [6], so the preparation window is defined even though the decryption capability is not yet a reality.

What is NIST FIPS 204?

FIPS 204 is a U.S. federal standard specifying ML-DSA, a post-quantum digital-signature algorithm, finalized by NIST and effective August 14, 2024 [5]. It was published alongside FIPS 205 (SLH-DSA), a second signature standard, and FIPS 203 (ML-KEM) for key encapsulation. These are the post-quantum algorithms organizations are expected to adopt as classical cryptography such as RSA and ECDSA is phased out. For law firms, FIPS 204 and its companion standards are the basis for signing certifications and attestations so that legal confidentiality and integrity survive the quantum transition.

RankShield Legal is a verifiable AI and quantum security platform for law firms: it signs and seals certifications and attestations with post-quantum cryptography so legal confidentiality holds against future quantum decryption. This article is general information, not legal advice; consult a licensed attorney about your situation.

References

[5] NIST. FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA). Effective Aug 14, 2024. https://www.federalregister.gov/documents/2024/08/14/2024-17956/announcing-issuance-of-federal-information-processing-standards-fips-fips-203-module-lattice-based

[6] NIST. IR 8547 (ipd): Transition to Post-Quantum Cryptography Standards. Nov 2024. https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf

Verify your filings before you sign them.

RankShield Legal certifies that cited authorities exist, are quoted accurately, and are good law before you file, and proves privileged material never reached a third-party AI model. Request early access to the legal pillar of the RankShield Network.

Request early access