A MoFo Privacy Minute Q&A: What Organizations Can Do to Plan for “Steal Now, Decrypt Later” Attacks

This is A MoFo Privacy Minute, where we answer the questions our clients are asking us in sixty seconds or less.

Question: I’ve read about “Steal Now, Decrypt Later” attacks. What should we be doing now to respond when “secure data” is compromised?

Answer: Traditional encryption methods have long functioned as a key protective data security measure, making data seemingly indecipherable. Because of this, incidents involving encrypted personal data generally do not trigger breach notification requirements under U.S. and global privacy frameworks unless the encryption key has also been compromised. This is, in part, because existing technology has not been readily able to crack robust encryption algorithms. However, advances in quantum computing are expected to make current encryption methods easily crackable in the near future. Threat actors are aware of this and are now investing in attacks aimed at stealing encrypted data because they know that decrypting that data will likely become fairly easy in the near term. Organizations can start preparing now by incorporating smart governance and incident response strategies into their current playbooks.

Why This Matters

An incident involving encrypted data today could become a notifiable event in the not-too-distant future. In addition, organizations are required to maintain reasonable security measures and often rely on encryption as a key control. Moving away from encryption is not a “flip the switch” exercise. Organizations should start thinking now about how they will address a future where encryption is not sufficient and where threat actors make good on their promise to “steal now, decrypt later” and begin to extort companies based on now-decrypted data stolen years earlier.

What Should Organizations Be Doing Now?

There are concrete steps organizations can take now to plan for what is coming:

• Reassess governance strategies. Think of quantum computing as a present governance, legal, and risk-management concern. Ensure your current incident response and resolution plans account for incidents involving encrypted data. Think holistically about the risks presented by an incident, including where encrypted data is at issue. Start or continue planning for how your organization will transition its controls when encryption no longer constitutes “reasonable security.”
• Prepare for post-quantum cryptography. Consider what can be done now to enhance security safeguards. Monitor and plan for the adoption of quantum-resistant encryption standards, including those emerging from NIST. Determine whether to be an early adopter and how to de-risk your roadmap to compliance by leveraging initial materials, such as guidance issued by the UK National Cyber Security Centre and the European Commission.
• Minimize data. Identify data that exists in your own or third-party repositories that has been considered low or lower risk because it is encrypted. If that data is no longer necessary, consider whether it can be deleted. Minimization and defensible deletion strategies can materially reduce future risk.
• Prioritize data mapping. Consider identifying encrypted data repositories that are likely to contain sensitive data for a long period of time, which may be more attractive to threat actors seeking to steal encrypted data with a view to decrypt it later. Determine what additional controls can be put in place now and how these controls can be improved in the future.
• Review current notification practices. Ensure current incident response plans give due consideration to voluntary or proactive transparency. Beyond statutory and contractual notification obligations, consider current and future risks that may be created by an incident involving sensitive but encrypted data.

The Bottom Line

As quantum computing advances, organizations may soon find themselves thinking through current security controls as well as past incidents and their prior decisions. Transparency, foresight, and proactive risk management are increasingly critical to maintaining trust and can help organizations prepare for a quantum-computing future that is just around the corner.