Which Data Is Most at Risk from HNDL Attacks Today
Not all encrypted data is equally exposed to Harvest Now, Decrypt Later attacks. A retail transaction from last Tuesday carries effectively no HNDL risk. A genomic database record from the same day may carry HNDL risk for the lifetime of the person it describes. The difference is not in the encryption algorithm, both might use AES-256 for bulk data, but in the key exchange that protected the session during transmission, and in how long the underlying data must remain confidential.
This article is the decision-support companion to the HNDL fundamentals article. If you need an explanation of what Harvest Now, Decrypt Later is and how the attack works, start there. Here, the assumption is that you understand the threat and need a structured framework for identifying which data categories in your organisation warrant immediate action, which can be assessed at pace, and which can wait.
The Risk Equation: Mosca's Inequality Applied to Your Data
Michele Mosca formalised the HNDL risk window in an IEEE Security and Privacy paper published in 2018. The inequality is stated with three variables: X, the years required to complete a PQC migration; Y, the years until a cryptographically relevant quantum computer arrives (Q-Day); and Z, the years the data must remain confidential. If X plus Z is greater than Y, the data is in the HNDL risk window now.
The practical implication of this inequality is counterintuitive to many security professionals. The question is not "when will quantum computers arrive?" The question is "how long must this data stay secret, and how long will our migration take?" An organisation with a five-year migration programme (X = 5) protecting data that must remain confidential for another ten years (Z = 10) faces a combined window of fifteen years. If Q-Day arrives in twelve years (Y = 12), the deficit is three years: 15 is greater than 12. The data collected today, under RSA or ECDHE key exchange, is within the HNDL risk window under that model.
For the Q-Day planning assumption, three authoritative sources converge on the same central estimate. The Global Risk Institute's 2024 Quantum Threat Timeline Report places meaningful CRQC probability in the 2030 to 2037 range, with a central estimate consistent with the 2033 to 2035 window used here. NSA's CNSA 2.0 advisory mandates quantum-resistant-only algorithms by 2033 for National Security Systems, treating 2033 as the hard planning deadline. NCSC's March 2025 PQC migration guidance sets Phase 3 migration completion (all new systems quantum-safe) for 2031 to 2035. Using 2033 to 2035 as the central planning assumption is consistent with all three.
Data Lifetime vs Key Lifetime: A Critical Distinction
NIST SP 800-57 Part 1 Rev. 5, the key management recommendation, governs how long a cryptographic key should be used before rotation. Key rotation is a well-established security practice. Against HNDL, it is largely irrelevant.
A TLS session key generated for a specific connection may be used for thirty seconds before the session closes. The healthcare record transmitted in that session may require confidentiality for forty years. Key rotation removes the old key from future use; it does not make the captured ciphertext from the thirty-second session any less vulnerable to a future CRQC running Shor's algorithm. The adversary does not need the private key. They reconstruct it from the captured public key material. The session was captured while it was active. Rotating the key the following day changes nothing about what was already collected.
HNDL risk assessment therefore requires two independent axes. The first is the required confidentiality lifetime of the data: how many years from collection must this data remain secret? The second is the cryptographic vulnerability of the transmission: was this data protected during transit by an asymmetric key exchange mechanism that Shor's algorithm can break (RSA, ECDH/ECDHE, classical Diffie-Hellman)? Data at the intersection of a long required confidentiality and a quantum-vulnerable key exchange carries the highest HNDL exposure. Data with a short confidentiality lifetime, or data protected by ML-KEM hybrid or ML-KEM-only key exchange, sits outside the primary risk zone.
The Highest-Risk Categories: Where to Look First
The following categories combine long regulatory or natural confidentiality lifetimes with cryptographic exposure. These are the data types that security leaders should address first in any HNDL prioritisation exercise.
Government classified and intelligence communications. Classification frameworks in most national systems impose no maximum retention limit on classified material. UK Official Sensitive, Secret, and Top Secret material under the Government Security Classification Policy (2023) may be retained indefinitely. US classifications under Executive Order 13526 follow similar logic for the most sensitive material. Diplomatic cables, intelligence assessments, and military capability information have confidentiality requirements that extend decades beyond the date of transmission. All of this is transmitted and stored under cryptographic systems that include RSA, ECDH, or ECDSA components. The HNDL risk for these categories is as high as it gets.
Genomic and longitudinal health data. NHS patient records in England are retained for a minimum of eight years after last clinical contact for adults, and until age 25 or eight years after death for paediatric records, under the NHS Records Management Code of Practice (2021). Genomic data has a biologically permanent confidentiality requirement: a person's genome is fixed for life and does not become less sensitive with time. GDPR (and UK GDPR under the Data Protection Act 2018, which retained equivalent provisions for UK data processing) Article 9 classifies genetic data as a special category; Article 32 requires appropriate technical and organisational measures proportionate to the risk. A genomic database protected today under RSA or ECC key exchange, captured via HNDL, is permanently vulnerable. There is no re-encryption path that addresses already-collected ciphertext.
Long-duration financial records. MiFID II Article 16(7) requires investment firms to retain records of client communications and transaction orders for at least five years, rising to seven years for firms subject to supervisory requirements. FCA SYSC 9.1.1R applies equivalent obligations for UK firms post-Brexit. MiFID II Article 16(7) applies to investment firms authorised in EU member states; FCA SYSC 9.1.1R applies to UK-authorised firms. A firm with both EU and UK authorised entities is subject to both. Pension scheme records are retained for 40 or more years in most European frameworks. Transaction records encrypted today under vulnerable key exchange and collected now would be decryptable post-Q-Day, well within those retention windows. The financial sector's exposure is material and has an enforcement timeline attached to it.
Intellectual property and trade secrets. A pharmaceutical compound's commercial exclusivity under patent law spans up to 20 years from first filing. An automotive OEM's powertrain design, a defence contractor's systems architecture, a chemical manufacturer's proprietary process, these categories retain competitive sensitivity over periods that overlap significantly with a central Q-Day estimate of 2033 to 2035. The ODNI Annual Threat Assessment has consistently identified commercial IP theft as a primary objective of nation-state cyber operations. This is not a theoretical risk category; it describes documented collection priorities.
Legal professional privilege. Legal professional privilege in common law jurisdictions (including England and Wales) is permanent. Privileged communications between solicitor and client do not expire, do not become less sensitive with time, and are protected without an end date. The UK SRA Code of Conduct (para 6.3) imposes an indefinite confidentiality obligation. A privileged communication relating to an ongoing matter, a confidential commercial transaction, or a regulatory investigation, transmitted over TLS using ECDHE key exchange, carries a confidentiality lifetime with no upper bound. That places it at the extreme end of HNDL exposure in any Mosca inequality calculation.
Critical national infrastructure operational data. Operational technology systems, power grid control, water treatment SCADA, rail and transport management, use industrial protocols whose cryptographic implementations are often locked into hardware with refresh cycles measured in years. Operational data from CNI transmitted today may contain system architecture, configuration, and operational patterns that have long-term intelligence value for a state adversary seeking to pre-position for future disruption. The NIS Regulations 2018 designate operators of essential services in these sectors; NCSC's annual review documentation consistently identifies CNI as a primary HNDL target sector.
State pension and social security records. UK DWP retains National Insurance records indefinitely. US Social Security Administration maintains earnings records for the life of the account holder and beyond for survivor and dependent benefit calculations. These records contain PII, financial history, and benefit entitlement data with both long-term identity fraud value and legitimate indefinite state retention requirements. They sit firmly in the Mosca inequality's high-risk zone: confidentiality lifetime permanent, migration programme likely five or more years, Q-Day central estimate inside that window.
Medium-Risk Categories: Worth Assessing, Not Ignoring
The following categories carry genuine HNDL exposure but with a narrower risk window than the categories above. They warrant systematic assessment and inclusion in migration planning, without necessarily claiming first priority on migration resources.
Enterprise email archives. Email retained for legal hold, regulatory compliance, or corporate records typically carries a retention horizon of three to ten years. TLS-protected email transmission is quantum-vulnerable at the key exchange layer. Archived email encrypted with RSA key transport may be accessible to a CRQC if the HNDL collection window is already open. The exposure is lower than genomic data, but non-trivial for high-value corporate communications: merger and acquisition negotiation, regulatory correspondence, internal legal advice. For organisations where those communications exist in email archives, the relevant question is the Mosca inequality applied to those specific email categories, not to enterprise email as a blanket category.
Cloud-stored business data. Enterprise data in cloud object storage typically uses encryption at rest, but the key management layer may use RSA or ECDH for key wrapping. If the key encapsulation for customer master keys relies on quantum-vulnerable algorithms, collected key material could be recovered post-Q-Day. The major hyperscalers have published quantum-readiness statements and are actively working on PQC integration across their key management infrastructure. Security teams relying on hyperscaler encryption should track those roadmaps and plan for hybrid key exchange in the interim for the highest-sensitivity data.
Long-lived firmware and code signing. Signed firmware with deployment cycles of ten to twenty years must remain verifiably authentic for the duration of the system's operational life. A firmware image signed in 2024 with ECDSA must remain verifiable until the firmware is replaced. If the ECDSA signature is later found to be forgeable on a CRQC, the firmware's integrity attestation chain fails, with consequences for any system that relies on that attestation. NIST FIPS 205 (SLH-DSA) was explicitly designed for long-lived signature scenarios of this type; migration of firmware signing pipelines to SLH-DSA is a medium-priority action for organisations with long-cycle embedded systems.
Lower-Risk Categories: Not Everything Needs to Move First
HNDL does not mean that every encrypted system requires immediate migration. Proportionality is essential to a credible risk assessment, and over-prioritisation dilutes the focus that high-risk categories actually require.
Short-lived consumer session data has effectively no HNDL risk. A retail transaction, a streaming session, a casual browsing session, data with no confidentiality requirement extending beyond one year sits well outside the HNDL risk window under even the most pessimistic Q-Day estimate. Applying the Mosca inequality with Z approaching zero produces a result that does not exceed Y under any credible planning assumption. These systems should be migrated to PQC in due course as part of a general TLS upgrade programme, but they do not warrant emergency prioritisation.
Public-key-protected communications where the underlying information is public carry a different risk profile. A certificate authority signature on a publicly accessible webpage authenticates public information. Breaking that signature key post-Q-Day would enable forgery (a forward integrity concern), but it does not retroactively expose confidential information. The HNDL risk for confidentiality is low; the forward signature forgery risk warrants attention as part of a PKI migration programme, but it belongs in a different risk category.
A Four-Question Screen for Your Data Estate
The Mosca inequality applied to specific data categories produces a structured prioritisation. Four questions determine whether a specific data category is at immediate HNDL risk:
Question 1: What is the required confidentiality lifetime? Count forward from the date of collection to the date at which the data could safely be disclosed or destroyed without harm. For genomic data: permanent. For a pension record: 80 or more years. For a retail transaction: one to two years.
Question 2: What is the current key exchange mechanism protecting it? RSA, ECDH/ECDHE, and classical Diffie-Hellman are quantum-vulnerable. ML-KEM hybrid or ML-KEM-only key exchange is quantum-safe. If you do not know the answer to this question for a given data flow, that is itself a finding: proceed to build a Cryptographic Bill of Materials before attempting to prioritise.
Question 3: What Q-Day estimate applies to your threat model? For government agencies and national security environments: use NSA CNSA 2.0's 2033 planning assumption. For critical national infrastructure and financial services: use the GRI 2024 central estimate of 2033 to 2035. For commercial organisations without specific national security exposure: use 2035 as a reasonable planning horizon, with contingency planning for 2030 under pessimistic scenarios.
Question 4: Does X plus Z exceed Y? Substitute your migration timeline (X), the confidentiality lifetime (Z), and the Q-Day estimate (Y). If X plus Z is greater than Y, the data category is in the HNDL risk window. Prioritise it. The QSECDEF HNDL Risk Calculator applies this framework to specific data categories with configurable Q-Day and migration timeline assumptions.
Two worked examples show the contrast. A healthcare record created today, requiring confidentiality for 40 years (Z = 40) under a migration programme expected to take 5 years (X = 5), against the 2033 planning assumption (Y = 7 years from 2026, the earlier end of the 2033-2035 central estimate, used here for a conservative calculation): 5 + 40 = 45, which exceeds 7 by a wide margin. High risk. A retail session token, with a confidentiality requirement of 0 years (Z = 0) and the same migration timeline: 5 + 0 = 5, which does not exceed any credible Y. Negligible HNDL risk. Same encryption algorithm for the session. Entirely different HNDL risk profile.
First Steps: Not Everything, the Right Things
The priority action for high-risk data categories is not a complete PQC infrastructure migration. That programme takes years. The immediate protective action is hybrid key exchange deployment on the highest-risk data flows, specifically those in the government, healthcare, genomics, financial services, legal, and CNI sectors identified above.
Hybrid TLS using X25519 combined with ML-KEM-768, as specified in IETF RFC 9496 (the X-Wing Hybrid KEM), provides HNDL protection for data in transit from the point of deployment onwards. Traffic captured after hybrid deployment is protected by ML-KEM, which has no known efficient quantum attack. Hybrid deployment runs on existing server hardware; it is a software and configuration change, not an infrastructure rebuild. For data at rest, the priority is identifying which stored archives are protected by quantum-vulnerable key wrapping, and sequencing re-encryption of those archives in order of confidentiality lifetime and sector risk.
Neither of those steps is possible without a Cryptographic Bill of Materials. The CBOM is the prerequisite tool: a structured inventory of which data categories are protected by which cryptographic mechanisms, at which protocol layers. Without it, migration prioritisation is guesswork. CISA's PQC migration guidance and the NIST NCCoE SP 1800-38 project define the CBOM methodology. The QSECDEF Cryptographic Inventory tool provides a structured starting point for building one.
The organisations facing the most acute exposure, those handling genomic data, classified communications, long-duration financial records, or privileged legal correspondence, are those where the data being generated today will carry a confidentiality requirement through the centre of the Q-Day probability window. For them, the HNDL risk is not a future concern. The collection is happening now. The protection needs to be in place now.
Regulatory retention obligations cited in this article reflect the author's understanding of applicable law as of the date of publication. Organisations should verify applicable retention requirements with qualified legal or compliance counsel, particularly where those requirements affect data classification decisions with regulatory implications.