In the United States, state data breach notification laws protect citizens by forcing businesses to notify those citizens when their personal information has been compromised. These laws almost universally include an exception for encrypted personal data. Modern encryption methods make encrypted data largely useless, and the notification laws aim to encourage good encryption practices.
This Note challenges the wisdom of laws that place blind faith in the continued infallibility of encryption. For decades, Shor’s algorithm has promised polynomial-time factoring once a sufficiently powerful quantum computer can be built. Competing laboratories around the world steadily continue to march toward this end. Once quantum computers become strong enough, classical encryption will no longer remain secure.
Ramifications of quantum decryption would reverberate through all aspects of security and society. This Note focuses only on the interplay of this development with data breach notification laws. While these laws cannot prevent technological progress, a federal data breach notification law could encourage adoption of a quantum-secure classical encryption method. This would dampen the harm quantum decryption causes by limiting the relevance of newly useful encrypted data.