“The US does not have regulations for the private sector, but we have all the risk.” – Darren Bender
The conversation around post-quantum cryptography often stays technical. Algorithms. Timelines. Research breakthroughs. What gets missed is the legal reality forming underneath all of it.
In this episode of Shielded: The Last Line of Cyber Defense, Darren Bender, a US litigation attorney working at the intersection of law and quantum security, reframes the discussion in a way most organizations have not fully confronted. Quantum risk is no longer just an engineering problem. It is a question of legal duty, foreseeability, and evidence.
Darren’s core argument is that when harm eventually surfaces, courts will not begin by asking which regulations were missing. They will ask who had the duty to act, why that duty existed, and whether the risk was reasonably foreseeable at the time.
The Regulatory Gap Does Not Remove Responsibility
In the US, private-sector regulation around post-quantum cryptography remains limited. That absence often becomes a reason to wait. Darren explains why that logic fails under US negligence law.
Courts rely on case law, not just statutes. Once a risk becomes known through expert consensus, public guidance, and international coordination, responsibility attaches. The question is no longer whether regulation existed. The question becomes whether a reasonable organization should have known and acted.
From a legal perspective, quantum risk has crossed that line.
Harvest Now, Decrypt Later Breaks the Timeline
Most legal and security thinking assumes a clean sequence. Something breaks. Damage follows. Responsibility gets assessed close to the event. Harvest Now, Decrypt Later breaks that model entirely.
Encrypted data can be quietly copied today, stored indefinitely, and only become harmful years later when quantum capability arrives. There may be no alert, no visible breach, and no immediate loss. But the exposure already exists. When harm eventually surfaces, courts will not only look at that final moment. They will trace backward. When was the data taken? What protections were in place then? What guidance existed at each point? What decisions were made, and why?
This stretches negligence across time. Duty does not attach once. It reattaches every year an organization chose not to act. Delay becomes cumulative, not neutral.
Foreseeability Is Already Quantified
A common reason organizations delay is uncertainty. Quantum timelines feel fuzzy. Darren is clear on why that argument weakens over time. Foreseeability does not require certainty. It requires credible warning.
Courts regularly rely on expert probability, forecasts, and risk models in areas far less technical than cryptography. Public quantum threat timelines, expert surveys, and probabilistic estimates fall squarely into that category. They are published, transparent, and widely cited. From a legal standpoint, that matters.
Once credible experts agree that a risk is plausible within a defined window, it becomes foreseeable. Not guaranteed. Not immediate. But foreseeable enough to demand consideration. Ignoring that evidence does not preserve strategic flexibility. It creates a gap in the record. And gaps, in court, tend to get filled by opposing counsel.
When Delay Stops Looking Reasonable
Darren turns to the Learned Hand framework to explain the moment delay stops looking like judgment and starts looking like negligence. The idea is straightforward, but the implications are not. When the cost of taking precautions becomes lower than the expected harm of not acting, inaction loses its legal cover. At that point, waiting no longer signals caution. It signals disregard.
What makes this difficult is that the threshold is not universal. It depends on what data you hold, how long it stays sensitive, and how long migration would realistically take. For financial services, Darren argues that line has already been crossed. Retention windows align with quantum timelines, losses are quantifiable, and action today can still prevent damage. In sectors like healthcare, where records persist for decades, prevention may already be out of reach, leaving only mitigation.
Painted Compliance Creates More Risk
One of Darren’s sharpest warnings targets what he calls performative readiness. Declaring quantum readiness without doing the underlying work does not reduce risk. It multiplies it. Public claims create expectations. Expectations shape reliance. And reliance opens the door to legal exposure.
Courts are not persuaded by labels or marketing language. They look for substance. When organizations talk about readiness without inventories, migration plans, or governance behind it, those statements become evidence rather than protection. Darren’s metaphor is deliberate. A painted horse does not become a zebra. The stripes do not add strength. They only make cross-examination easier.
From a legal standpoint, silence paired with real progress is often safer than signaling confidence without proof. In litigation, what you claim matters almost as much as what you do.
What Courts Will Actually Look For
When quantum risk eventually shows up in court, Darren emphasizes that outcomes will hinge less on technical perfection and more on evidence of care. Courts will not expect early mastery of post-quantum cryptography. They will expect proof that leaders understood their responsibility and revisited decisions as the risk became clearer.
Courts are likely to look for five concrete elements:
- A cryptographic asset inventory showing what you knew you were protecting
- A documented risk assessment using real frameworks, not generic awareness
- Evidence of board-level oversight and executive engagement
- Written decisions with rationale, even when delaying
- Regular review intervals showing the issue was revisited as the threat evolved
Courts do not expect perfection. They expect diligence that can be demonstrated.
Three Actions That Matter in 2026
Darren’s guidance for 2026 avoids urgency theater and focuses on actions that quietly reduce risk while strengthening the legal record.
- Talk to vendors early and document conversations – Even without committing, timelines and cost estimates show awareness and create evidence of informed evaluation.
- Map regulatory exposure across jurisdictions – Understanding which frameworks apply and how enforcement works prevents blind spots, especially for multinational organizations.
- Identify crown-jewel data and fix no-regret technical debt – Inconsistent TLS configurations and manual certificate management slow migration and weaken credibility when larger investments are requested.
None of these steps require perfect answers. They require momentum, documentation, and follow-through. Together, they lower risk today and protect optionality tomorrow.
The Takeaway
The quantum threat is not about exotic physics. It is about whether organizations treat cryptographic resilience as an optional IT project or as infrastructure, alongside fire safety and financial controls.
Organizations that treat it as optional tend to defer, rationalize, and wait. Organizations that treat it as infrastructure build habits that compound. They inventory. They document. They review. They adapt.
When quantum risk eventually shows up in court, outcomes will depend less on which algorithms existed and more on whether leaders can show thoughtful, informed decision-making across time. What matters is not predicting the future perfectly, but taking responsibility seriously along the way.
You can hear the full conversation with Darren Bender on Shielded: The Last Line of Cyber Defense, available now on Apple Podcasts, Spotify, and YouTube.
About Darren Bender
Darren Bender is a US litigation attorney with a dual background in law and IT automation. He serves as Managing Attorney at Zwicker & Associates and is Co-Founder and Chief Litigation Officer in the post-quantum cryptography sector for a newly formed UK advisory firm, ProtecQC. Before practicing litigation, Darren spent nearly a decade as a business systems analyst at First American, where he designed and automated complex, high-volume, data-sensitive workflows across national production systems. His work today sits at the intersection of law, governance, and cryptographic risk, with a focus on how emerging technical threats translate into real legal exposure.