top of page
Search

Quantum Computing Legal Risks for Businesses: What Owners and General Counsel Should Do Now

  • Todd Nurick
  • 1 day ago
  • 6 min read

Business leaders and counsel reviewing quantum computing, encryption risk, and vendor readiness
Business leaders and counsel reviewing quantum computing, encryption risk, and vendor readiness

Quantum Computing Legal Risks for Businesses are still easy to dismiss as a future problem.

That’s a mistake. Quantum computers aren’t yet breaking ordinary business encryption at scale, but the legal and business planning issues are already here. The National Institute of Standards and Technology (NIST) finalized its first three post-quantum cryptography standards in August 2024 and said there was no need to wait to start using them. The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and NIST have also warned organizations to begin quantum-readiness planning now because adversaries may already be collecting encrypted data for “harvest now, decrypt later” attacks.


For business owners, in-house legal teams, and companies using Fractional General Counsel / Outside General Counsel, the immediate question isn’t whether a quantum machine will arrive next quarter. It’s whether the company is treating quantum risk as a technical issue only, when it is already a contract, governance, cybersecurity, vendor-management, and disclosure issue. The American Bar Association has also urged lawyers to start getting their arms around quantum computing because the legal and policy implications are already developing.


Todd Nurick of Nurick Law Group, LLC, a Pennsylvania and New York business attorney with approximately 30 years of civilian business law and litigation experience, and a former Army officer, helps companies evaluate emerging technology risks in a practical way that fits business operations, contracts, governance, and long-term legal exposure.


Quantum Computing Legal Risks for Businesses: why this belongs on the legal side of the table now

A lot of companies still hear “quantum computing” and think of research labs, chip makers, or science headlines. The legal issue is more immediate. If your company holds data that must remain confidential for years, uses systems built on current public-key cryptography, signs long-term technology agreements, or makes security commitments to customers, regulators, or counterparties, quantum risk is already part of the legal analysis. NIST’s finalized standards cover general encryption and digital signatures, and CISA, NSA, and NIST have emphasized that migration will take time because cryptography is embedded across products, services, hardware, software, and networks.


That point is easy to miss because the technical threat and the legal risk don’t arrive on the same day. The legal risk starts earlier, when the company knows enough to plan but does nothing. The ABA article from June 2025 framed the issue in exactly those terms, noting potential exposure involving contracts, negligence theories, regulatory scrutiny, and reputational harm if businesses fail to prepare reasonably for a quantum-safe transition.


Quantum Computing Legal Risks for Businesses and the “harvest now, decrypt later” problem

This is the part business leaders should understand first. You don’t need a practical quantum attack tomorrow for your company to face quantum-related risk today. CISA, NSA, and NIST warned in 2023 that threat actors may already be collecting encrypted data now in the hope of decrypting it later when cryptographically relevant quantum computers become viable. That is the “harvest now, decrypt later” scenario. Today’s General Counsel summarized the same point this month in practical terms for legal departments.


For some businesses, that may be manageable. For others, it isn’t. If the data has a short commercial life, the eventual loss may be less severe. If the data involves trade secrets, proprietary formulas, product designs, long-tail customer information, sensitive M&A documents, regulated data, or information that remains valuable for many years, the risk profile changes materially. Today’s General Counsel used that same distinction, contrasting short-lived credit card data with a long-lived proprietary recipe.


That’s why quantum readiness isn’t just an IT modernization issue. It’s a business judgment issue about the secrecy life of data, the promises the company has made about safeguarding it, and what a reasonable transition plan should look like under the circumstances.


Quantum Computing Legal Risks for Businesses in contracts and vendor diligence

This is where the issue becomes very practical for small and mid-sized businesses.

Most companies won’t build their own post-quantum cryptography stack. They will depend on software providers, cloud platforms, hardware manufacturers, managed-service vendors, communications providers, and cybersecurity vendors. NIST has encouraged system administrators to begin transitioning to the new standards, and CISA’s 2026 product-category guidance was designed specifically to help organizations identify the kinds of technologies that will need post-quantum updates.


That means legal and procurement teams should be asking vendors questions now, including:

  • whether their products use cryptography that will require post-quantum migration

  • whether they have a roadmap for adopting NIST’s finalized standards

  • whether their contracts make any security or compliance commitments that assume current encryption remains sufficient

  • whether they can support crypto-agility, meaning the ability to update algorithms without replacing the whole system

  • whether they’ve identified products, services, or dependencies that may lag behind the transition


Those questions won’t solve the problem by themselves. But they do help the company avoid discovering too late that it is locked into technology that will be hard to migrate, hard to patch, or hard to defend. That is a practical inference from the guidance and standards work NIST, CISA, and NSA have already issued.


Quantum Computing Legal Risks for Businesses in cybersecurity representations and board-level oversight

Quantum risk also affects what a company says publicly and internally about security.

A company that tells customers it uses industry-standard encryption may still be accurate today. But over time, businesses will need to decide whether that language is enough, whether the company has a documented transition plan, and whether leadership can explain how it is approaching post-quantum migration. The ABA article on lawyers preparing for quantum computing pointed directly to breach-of-contract risk, negligence risk, regulatory investigations, and reputational harm if businesses fall behind as the transition becomes more concrete.

This is where boards, executives, Fractional General Counsel / Outside General Counsel, and internal legal teams should be aligned. The issue is not to promise something dramatic before the company is ready. The issue is to avoid being the organization that knew the transition was coming, had access to public standards and guidance, and still treated it as someone else’s problem.


What owners and general counsel should actually do now

The right first step isn’t panic. It is inventory and planning. So, a sensible legal-and-business checklist would include:

  • identifying what categories of company data need long-term confidentiality

  • mapping which critical systems and vendors rely on current public-key cryptography

  • asking key vendors for post-quantum roadmaps and crypto-agility plans

  • reviewing customer contracts, security commitments, and regulated-data obligations for language that may be affected by migration issues

  • coordinating legal, IT, security, procurement, and leadership so quantum readiness isn’t stranded inside one department

  • building a transition plan that can be updated as NIST, vendors, and regulators continue to move the market


That approach is consistent with what CISA, NSA, and NIST have already recommended. Their guidance emphasizes quantum-readiness roadmaps, inventories, risk analysis, and early vendor engagement rather than waiting for a single dramatic deadline.


Quantum Computing Legal Risks for Businesses are also about reasonableness

For lawyers and business leaders, that is the real standard to keep in mind. No one expects every company to migrate overnight. But over time, courts, regulators, counterparties, and customers may ask a more basic question: was the company acting reasonably in light of what was publicly known? By mid-2025, the ABA was already urging lawyers to understand the issue, and by 2024 NIST had already finalized its first core standards. That makes it harder to argue later that quantum transition planning was too speculative to address at all.


That doesn’t mean every business must solve the same problem in the same way. It does mean businesses should start documenting how they are thinking about it, what data they are prioritizing, and how they are engaging vendors and internal stakeholders. That record may matter just as much as the technical migration itself.


Conclusion

Quantum Computing Legal Risks for Businesses aren’t just about the future capability of quantum machines. They are about what businesses do now with the knowledge, standards, and migration guidance already on the table.


The companies in the best position won’t be the ones waiting for a single “quantum day” headline. They’ll be the ones that inventory sensitive data, pressure-test vendor readiness, build post-quantum language into procurement and contract review, and treat the issue as part of ordinary business risk management before it turns into a breach, a dispute, or a governance failure.

If your business is trying to sort out what quantum readiness should mean in contracts, vendor diligence, cybersecurity planning, or board-level oversight, Todd Nurick and Nurick Law Group, LLC can help evaluate the legal and business issues in a practical, grounded way.



Sources

  • NIST, NIST Releases First 3 Finalized Post-Quantum Encryption Standards (Aug. 13, 2024).

  • NIST, Post-Quantum Cryptography Project.

  • CISA / NSA / NIST, Quantum-Readiness: Migration to Post-Quantum Cryptography fact sheet (Aug. 2023).

  • NSA, Post-Quantum Cybersecurity Resources.

  • CISA, Product Categories for Technologies That Use Post-Quantum Cryptography Standards (Jan. 23, 2026).

  • ABA News, Lawyers should prepare for quantum computing (June 12, 2025).

  • Today’s General Counsel, What General Counsel Need to Know About Quantum Computing (May 8, 2026).


Disclaimer: This article is for informational purposes only and isn't legal advice. Reading it doesn't create an attorney-client relationship. Todd Nurick and Nurick Law Group aren't your attorneys unless and until there is a fully executed written fee agreement with Todd Nurick or Nurick Law Group.

 

© 2025 by Nurick Law Group. ***Nurick Law Group and Todd Nurick do not function as your legal counsel or attorney unless a fee agreement has been established. The information presented on this site is not intended to serve as legal advice. Our objective is to educate businesses and individuals regarding legal issues pertinent to Pennsylvania. 

 

bottom of page