Post-quantum cryptography is often framed as a future technical upgrade. Darren Bender challenges that framing and treats it as a legal exposure that already exists. In this episode of Shielded: The Last Line of Cyber Defense, Darren introduces post-quantum negligence and explains how US courts may assess quantum risk using established legal doctrines. The discussion centers on a timing problem. Adversaries can harvest encrypted data today and decrypt it years later once quantum capability arrives. That gap breaks the traditional negligence model, where duty, breach, harm, and causation appear close together. With Harvest Now, Decrypt Later, harm may surface long after the decision to delay action. Darren explains why foreseeability becomes central, shaped by expert forecasts, Mosca’s theorem, and the Learned Hand reasonableness test. When migration cost drops below expected harm, inaction starts to look unreasonable. He outlines why financial services may be at that tipping point now, why healthcare may already be past it, and how delay compounds exposure. The episode also addresses performative quantum readiness. Public claims without real cryptographic work can raise legal risk by creating expectations. Darren closes with practical guidance for 2026, emphasizing documentation, governance, and review that hold up later.

What You’ll Learn

Darren Bender is a US litigation attorney with a dual background in law and IT automation. He serves as Managing Attorney at Zwicker & Associates and is Co-Founder and Chief Litigation Officer in the post-quantum cryptography sector for a newly formed UK advisory firm, ProtecQC. Before practicing litigation, Darren spent nearly a decade as a business systems analyst at First American, where he designed and automated complex, high-volume, data-sensitive workflows across national production systems. His work today sits at the intersection of law, governance, and cryptographic risk, with a focus on how emerging technical threats translate into real legal exposure.

Darren’s point is not that new laws suddenly create responsibility. It’s that responsibility shows up once a risk is widely known. In the US, courts do not wait for regulators to spell everything out. They look at whether a reasonable organization should have known about a risk and whether it had the ability to act. With public guidance, global coordination, and expert consensus now in the open, post-quantum risk is no longer obscure. Choosing to wait is still a choice, and courts will ask why that choice made sense at the time.

Key Question: If harm surfaces years from now, can you show why inaction was reasonable then?

Quantum risk does not look like a normal breach. There may be no alarm, no visible damage, and no clear moment of failure. Data can be copied quietly today and only become dangerous years later when it is decrypted. Darren explains that this stretches negligence across time. Courts may not focus on when harm finally appeared, but on earlier moments when data was taken and no action followed. Each year of delay becomes part of the story.

Key Question: If a court looks back year by year, what would your decisions show?

Darren stresses that foreseeability does not mean knowing exactly when quantum breaks encryption. It means having credible signals that risk is coming. Courts already rely on expert forecasts and probability in many cases. Public quantum threat timelines and expert surveys fall squarely into that category. They are not fringe opinions. From a legal view, this turns quantum risk from speculation into something measurable. Ignoring that evidence does not create flexibility. It creates exposure.

Key Question: Are you treating expert forecasts as real input, or hoping uncertainty protects you?

Darren uses the Learned Hand test to explain when delay stops being defensible. The idea is simple. If the cost of fixing a problem is lower than the damage likely to come from ignoring it, doing nothing no longer looks reasonable. For PQC, that comparison depends on what data you hold, how long it stays valuable, and how hard it is to migrate. Once expected harm outweighs migration cost, waiting stops looking like judgment and starts looking like neglect.

Key Question: If someone did the math today, would waiting still make sense?

Financial services sits right at the edge. Data sticks around long enough to be valuable to attackers, but not so long that action today is pointless. Losses are measurable. Regulators pay attention. Most importantly, starting now can still prevent real harm. Darren contrasts this with healthcare, where records last decades and prevention may already be too late. Where harm could still have been avoided, courts are far less forgiving of delay.

Key Question: If Q-day arrives on schedule, will delay be your weakest point?

Darren warns that claiming quantum readiness without doing the work is worse than staying quiet. Public claims create expectations, and expectations create liability. From there, risk spreads across vendors, cloud providers, and integrators. When something fails, plaintiffs follow the money under joint and several liability. Courts won’t expect perfection. They will expect proof you took the issue seriously. That means inventories, real risk analysis, board awareness, documented decisions, and regular follow-ups. This is legal hygiene, not panic.

Key Question: If everything was laid out in court, would your records help you or hurt you?

Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.


Need help subscribing? Click here for step-by-step instructions.