Questions the board should ask after the surveillance disclosures

Since the PRISM program became public, most CTOs and security professionals have already held internal discussions. Many companies are reviewing their cloud configurations, revisiting provider agreements, and assessing jurisdictional risks.

But there is a gap I keep seeing: the board of directors and senior leadership are not part of these conversations. The topic stays in IT. And yet this is not only a technical question - it is a question about zones of accountability, about business risk, and about legal obligations to customers and partners.

If you sit on a board or are a CEO, here are the questions worth asking right now.

What exactly do we store, and where

The first question is foundational. What data - company data, customer data, partner data - is in the cloud? On whose servers? In which countries is the equipment physically located?

This question surprisingly often has no precise answer, even in large companies. "Data is in the cloud" is not an answer. What is needed is specifics: which provider, which region, what classification of data.

Without this answer it is impossible to assess either the jurisdictional risk or the risk of failing to meet regulatory requirements.

What the contract says about third-party access

Most companies read the SLA for uptime and backup provisions. Much less often do they read the section on what happens when a government request arrives at the provider.

Specific questions:

• Is the provider required to notify us of such a request? Or does the legislation of their country of incorporation prohibit them from doing so?
• What data can the provider technically hand over in response to such a request?
• Does the contract include a governing law clause - and does it work in our favour?

The answers may be unpleasant. But it is better to find out now.

How access to our data is logged

If someone outside the company gains access to company data - will we find out? How quickly? From what source?

Most cloud providers maintain access logs. But are they configured so that your security team receives an alert on abnormal patterns? Can you independently verify who accessed which data, and when?

Logging is not only about external threats. It is about the ability to investigate an incident after the fact.

What the plan is if the provider becomes unavailable

This question is not directly connected to PRISM, but the surveillance story illustrates a broader principle: critical dependence on a single external service is a risk.

A provider can be unavailable for technical reasons. It can come under sanctions. It can receive a regulatory demand that changes operating conditions. What happens to the business in each of these scenarios?

It is not necessary to have a ready answer for every scenario. It is necessary to know that someone has started thinking about it.

What obligations we have toward clients

If the company holds data belonging to clients - individuals or businesses - it carries responsibility toward them. In a number of jurisdictions this responsibility is codified in law. In others it follows from the contract or from reasonable client expectations.

The question: if it turns out that client data was accessed without authorisation through mechanisms we did not know about - what are we required to do? Notify clients? The regulator? Within what timeframe?

This is not hypothetical. Several countries already have mandatory breach notification requirements, and violating them costs more than the incident itself.

One practical next step

If after reading these questions there is no confidence in the answers - the right next move is not panic and not an immediate restructuring of the IT infrastructure.

The right next move is to put on the board's agenda a meeting with the CTO and the head of security, at which written answers to these five questions are obtained. Not verbal assurances - answers with specific references to documents and configurations.

That will take a few hours. But that is exactly what a board of directors is for.