In recent years, there has been an undisputed increase in enterprise data breaches across the globe. At first, this was only a concern for IT, CISO\u2019s and CIO\u2019s. However, with growing fiduciary responsibility, cybersecurity is gaining attention at board-level decisions. This is an important shift, as the emerging quantum threat will require organizations to carefully review their long-term data protection requirements to ensure compliance in the quantum age.Organizations have a legal responsibility to protect customer dataFor decades now, organizations have been collecting data; combing through our search results, social media posts, and online transactions to gain strategic insights into their customers. And this effort wasn\u2019t in vain; organizations have learned how to personalize our customer experience, target advertisements, and even help mitigate cyber fraud. The uses of customer information are so vast that even after all these years of collection new avenues to utilize big data are still being discovered. The fact is, data is a powerful tool. However, with this power comes great responsibility, or at least certain stipulations.As customers, we constantly make decisions around how we share our personal information, often trying to create a balance between security and convenience.\u00a0 When we choose to make private information such as credit cards, emails, patient records or contact information available to our service providers, we also implicitly trust that there will be a high standard of protection afforded this data.\u00a0 This expectation goes beyond the ethical duty companies have towards their customers and crosses into compliance at a legislative level. Whether it is adhering to the General Data Protection Regulation in Europe or specific requirements such as the Health and Information Protection Act of Ontario, enterprises are legally responsible to maintain personal data to protect their customer\u2019s identity and information.How does quantum information science threaten to compromise an organization\u2019s ability to protect sensitive information?Within a decade, experts predict that a large-scale quantum computer will be developed. With its particular computing abilities, quantum computers will have the capacity to solve some of today\u2019s hardest problems, including the underlying problems that form the basis for public key cryptography. This is a concern as public key cryptography provides the very foundation of trust required to protect all our online data and digital transactions. In a very real sense, this has a direct effect on an organization\u2019s ability to comply to long-term data requirements and regulations.Today, some adversaries have the ability to intercept and store \u2013 harvest \u2013 information for later decryption using a quantum computer. That means data encrypted today could be decrypted within a decade. All variables considered, if your organization has long-term data protection requirements than a \u201charvest and decrypt later\u201d attack may have already compromised your security objectives. This is critically important for organizations such as governments, financial institutions, and health care industries, who\u2019s long-term data protection requirements can range from 10+ years to the life of a patient. With the quantum threat undermining their security objectives, organizations can be opening themselves up to liability or other damaging business outcomes resulting from a catastrophic data breach.Organizations have an obligation to prepare for emerging threatsSecurity leaders are required to take reasonable action to secure against known potential breaches and to continually be aware of new and emerging threats that pose a risk to their business. We already see the quantum threat being recognized by academia and standards bodies, such as NIST and ETSI, so there may already be obligations to shareholders and customers for organizations to prepare for this threat. With growing cybersecurity regulations, failing to secure against a potential breach can open an organization up to class-action litigations due to negligence. Organizations need to begin preparing for the quantum threat so that they can react quickly and cost efficiently to the responsibilities set by standards and legislative bodies.A quantum-safe migration is an enterprise-wide projectTo become quantum-safe, all devices will need to eventually migrate to quantum-safe cryptography. This is a massive project. Due to its scale, one department will not be able to mitigate the risk across an entire organization. Instead, it\u2019s best tackled through a collaborative effort amongst the whole organization.To start, security leaders can begin identifying high-risk systems and networks within their organization that have critical dependencies on public key cryptography. This is not a trivial task for CIO\u2019s and CISO\u2019s. Public key cryptography is so ubiquitous that pinpointing exactly where it\u2019s used and how could prove very difficult. Once the exposure has been quantified and brought to the attention of the board, steps can be taken as an organization to incorporate quantum-safe cryptography and crypto agility into the overall cybersecurity objectives of the enterprise.What organizations need to do to mitigate their riskAs suggested by NIST, organizations need to establish procurement policies on an enterprise-wide scale that mandate crypto agility \u2013 the ability to rapidly switch cryptographic algorithms for newer\/safer ones. By including crypto agility into your networks, system upgrades can be future-proofed against the quantum threat. CIO\u2019s will be able to react quickly to standards, securing customer\u2019s identities and protecting the organization from liability.However, the first step begins with setting expectations among the entire organization to achieve quantum-safe security before public key cryptography is broken.