'Harvest Now, Decrypt Later': The Quiet Threat in a Bank of America Patent

Most breach coverage assumes the attacker wants your data now. But a quieter, stranger threat is being designed into corporate defenses: the attacker who steals encrypted data they cannot read, betting that they will be able to read it years from now. It is called "harvest now, decrypt later," and the fact that a major bank is patenting against it tells you it has moved from theory to planning assumption.

Bank of America's grant US12652311B2, "Preservation of network integrity in changing network conditions triggered by data harvesting for retrospective decryption" (issued June 9, 2026; CPC H04L 63/1441, responding to detected intrusion, and H04L 63/1416, anomaly detection), names the threat in its own title. The premise: detect the bulk exfiltration of encrypted data and respond, on the theory that the attacker's payoff is deferred to a future where the encryption no longer holds.

The reason this is suddenly serious is post-quantum cryptography. Much of today's encryption rests on math that classical computers cannot crack in any reasonable time — but a sufficiently capable quantum computer could. Nobody has one yet at the needed scale. "Harvest now, decrypt later" is the bet that someone will, and that data with a long shelf life — financial records, health data, state secrets, anything that is still sensitive in a decade — is worth stealing in ciphertext today.

The regulatory and policy stakes follow directly. A breach used to be a present-tense event: data exposed, harm assessed, disclosure made. The harvest-now model makes a breach a future-tense liability — encrypted data taken today may become readable, and material, years after the incident is closed. That complicates everything from breach-notification timing to the materiality judgments that drive SEC disclosure, because the harm is real but not yet realized.

The grounded takeaway: a patent is a method, not a deployed shield, and detecting encrypted-data exfiltration is genuinely hard precisely because encrypted traffic is supposed to be opaque. But the existence of this grant, from a bank rather than a security vendor, is the signal worth reading. The most forward-looking organizations are no longer only defending against attackers who want to read your data. They are defending against attackers patient enough to wait for the math to break.