A MoFo Privacy Minute: Data Security & Quantum Computing: An Area of Concern?

This is A MoFo Privacy Minute, where we answer the questions our clients are asking us in sixty seconds or less.

Question: What are the current data security risks presented by quantum computing, and what should we bear in mind as this technology continues to evolve?

Answer: While a quantum computer that can break existing encryption techniques does not yet exist, regulators, including the UK Information Commissioner’s Office (ICO),[1] expect large organizations, especially those who rely on encryption, to start planning for new encryption standards and the impact that quantum computing may have in the near term on their data security programs.

Quantum computers will be able to solve problems significantly faster and more effectively than current computers and are capable of drastically advancing various fields, such as life sciences and public infrastructure, through the use of highly sensitive quantum sensors and quantum imaging.

Instead of regular ‘bits,’ quantum computers use ‘qubits’ which can represent two states at the same time, and which can be correlated together in a way that is more complex than regular computers.[2] Quantum computers may also be able to factorize very large numbers in a way that could render existing encryption algorithms, which are currently fundamental to the data security programs of most businesses globally across all industries, ineffective.

To address this very real future risk, efforts are already underway by businesses, governments and regulators to develop post-quantum cryptography (PQC), a form of encryption that uses more sophisticated algorithms that are exponentially more difficult and complex for quantum (and current) computers to crack.

The U.S. National Institute of Standards and Technology (NIST) released the first standards on PQC earlier this year,[3] and has encouraged businesses to start implementing the standards immediately. The UK National Cyber Security Centre[4] also issued a white paper on PQC and recommends that businesses begin considering PQC migration for systems which carry data that will be valuable for a long time and systems where changes can only be made infrequently (e.g., because they are hard to upgrade). The ICO has not committed to enforcing a transition to PQC and emphasizes that businesses should not ignore their existing cybersecurity programs to advance PQC, but also cautions businesses that the challenges of implementing PQC should be taken into account and thoroughly examined. 

It may still be some time until a quantum computer can be commercialized and utilized by threat actors, including nation state threat actors,[5] but larger organizations, including digital service and financial service providers, should start preparing now for PQC and the fact that many of their current safeguards will be rendered obsolete. For example, businesses should take steps to prevent a data security incident from inadvertently being caused by misconfiguration errors during the implementation of PQC and also bear in mind the rapidly evolving, and potentially divergent, regulatory approaches.

We will continue to monitor regulators’ positions on PQC and the other impacts of quantum computing as the field develops.

[1] Preparing for the quantum-enabled future | ICO (Oct. 9, 2024).

[2] For an accessible explanation of how quantum computing works and how it could break common encryption methods, please see Quantum Computing could break the internet. This is how | Financial Times (May 3, 2023).

[3] NIST Releases First 3 Finalized Post-Quantum Encryption Standards | NIST (Aug. 13, 2024).

[4] Post-quantum cryptography: what comes next? | NCSC.GOV.UK (Aug. 14, 2024).

[5] Researchers at Imperial College London were able to produce, store, and subsequently retrieve quantum information using optical fibres for the first time in April 2024. For more information, see Crucial connection for ‘quantum internet’ made for the first time (Apr. 17, 2024).