The harm is durable. The trigger is deferred.

Under current law, a data breach is typically triggered when there is unauthorized access to personal data. The Harvest Now, Decrypt Later (HNDL) threat model breaks the assumption that the access event and the discovery event are temporally close. Adversaries may have already accessed — and exfiltrated — encrypted records containing personally identifiable information, protected health information, or sensitive financial data, but neither the organization nor the regulator can verify that fact until the data is decrypted, which may not occur until a quantum computer becomes available.

California's SB 446, effective in 2026, now requires breach notification within 30 days of discovery — but the HNDL model means discovery may arrive retroactively, years after the underlying exfiltration. Academic legal analysis has described this structural temporal asymmetry as a quantum paradox in cyber law: the harm is durable but the trigger is deferred.

Practical implication: the conventional risk model that says "encrypted data is not a breach event" is becoming brittle. For long-lived classes of personal data, encryption at the time of transit no longer reliably forecloses the duty to notify. Regulators have not yet aligned on how this is treated, but the direction of travel is clear in the academic literature and in the policy signals from CISA and NIST.

Organizations that retain encrypted personal data for extended periods are effectively extending the window of HNDL exposure. A standard practice of retaining encrypted health records for ten years, for example, means that any records currently in storage or transmitted over classical-encryption channels may be fully readable by adversaries within the second half of that retention window — and the records that were exfiltrated five years ago will be readable before the records being exfiltrated today.

This creates a duty-of-care argument that current privacy law has not resolved: if an organization knew that a class of data was vulnerable to HNDL and did not take reasonable steps to migrate it to quantum-resistant encryption before its retention period expired, could that constitute a failure to implement appropriate technical measures under GDPR Article 32, or HIPAA's Security Rule? Legal consensus has not formed, but the exposure is real and growing. The defensible posture is to document that a PQC risk assessment has been conducted and that retention schedules account for the HNDL exposure window.

Compliance programs should begin classifying data by secrecy lifetime — the period during which unauthorized disclosure would constitute meaningful harm — and cross-referencing that classification with migration priority. Data requiring long-term confidentiality (health records, identity records, M&A, IP, state secrets, custody and adoption records, witness identities) should be treated as a near-term technical priority, not a future one.

The Quantum Computing Cybersecurity Preparedness Act and OMB M-23-02 establish a federal compliance baseline; CISA's January 2026 procurement guidance extends that signal to critical infrastructure operators. For privacy professionals in the private sector — particularly in regulated industries where Article 32 or HIPAA Security Rule analysis is a standing obligation — there is enough policy direction to make defensible compliance updates today, even while case law and regulator guidance continue to develop.

The five compliance updates to make this year

• Document a PQC risk assessment. Have a written record showing this was considered as part of the organization's Article 32 or HIPAA security analysis. The assessment does not have to recommend migration today; it has to show the analysis was performed.
• Cross-reference retention schedules against the quantum timeline. Identify the classes of data whose retention window extends past the CNSA 2.0 inflection (2027–2031). These are the priority classes for migration when their underlying systems become PQC-capable.
• Update vendor risk management. Require evidence of PQC roadmaps from data processors who handle long-lived personal data. Add PQC-readiness questions to standard vendor due-diligence templates.
• Update the breach response plan. Address the HNDL scenario explicitly. Include the possibility of retroactive notification obligations when future decryption reveals prior exfiltration. Pre-position the legal-team workflow for that scenario now, not when it arrives.
• Train the incident-response team on the HNDL framing. The current breach-detection mental model assumes the breach event and the discovery event are temporally close; the team should rehearse a scenario where they are not.