TECHNOLOGY & COMMUNICATIONS SECTOR TELECOMMUNICATION SERVICES Sustainability Accounting Standard Sustainable Industry Classification System® (SICS®) TC-TL Prepared by the Sustainability Accounting Standards Board October 2018 INDUSTRY STANDARD | VERSION 2018-10 © 2018 The SASB Foundation. All Rights Reserved. sasb.org TELECOMMUNICATION SERVICES Sustainability Accounting Standard About SASB The SASB Foundation was founded in 2011 as a not-for-profit, independent standards-setting organization. The SASB Foundation’s mission is to establish and maintain industry-specific standards that assist companies in disclosing financially material, decision-useful sustainability information to investors. The SASB Foundation operates in a governance structure similar to the structure adopted by other internationally recognized bodies that set standards for disclosure to investors, including the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB). This structure includes a board of directors (“the Foundation Board”) and a standards-setting board (“the Standards Board” or "the SASB"). The Standards Board develops, issues, and maintains the SASB standards. The Foundation Board oversees the strategy, finances and operations of the entire organization, and appoints the members of the Standards Board. The Foundation Board is not involved in setting standards, but is responsible for overseeing the Standards Board’s compliance with the organization’s due process requirements. As set out in the SASB Rules of Procedure, the SASB’s standards-setting activities are transparent and follow careful due process, including extensive consultation with companies, investors, and relevant experts. The SASB Foundation is funded by a range of sources, including contributions from philanthropies, companies, and individuals, as well as through the sale and licensing of publications, educational materials, and other products. The SASB Foundation receives no government financing and is not affiliated with any governmental body, the FASB, the IASB, or any other financial accounting standards-setting body. SUSTAINABILITY ACCOUNTING STANDARDS BOARD 1045 Sansome Street, Suite 450 San Francisco, CA 94111 415.830.9220 info@sasb.org sasb.org The information, text, and graphics in this publication (the “Content”) are owned by The SASB Foundation. All rights reserved. The Content may be used only for non-commercial, informational, or scholarly use, provided that all copyright and other proprietary notices related to the Content are kept intact, and that no modifications are made to the Content. The Content may not be otherwise disseminated, distributed, republished, reproduced, or modified without the prior written permission of The SASB Foundation. To request permission, please contact us at info@sasb.org. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 2 Table of Contents Introduction....................................................................................................................................................................4 Purpose of SASB Standards.........................................................................................................................................4 Overview of SASB Standards.......................................................................................................................................4 Use of the Standards...................................................................................................................................................5 Industry Description.....................................................................................................................................................5 Sustainability Disclosure Topics & Accounting Metrics...............................................................................................6 Environmental Footprint of Operations........................................................................................................................8 Data Privacy..............................................................................................................................................................11 Data Security.............................................................................................................................................................18 Product End-of-life Management...............................................................................................................................22 Competitive Behavior & Open Internet......................................................................................................................24 Managing Systemic Risks from Technology Disruptions..............................................................................................28 SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 3 INTRODUCTION Purpose of SASB Standards The SASB’s use of the term “sustainability” refers to corporate activities that maintain or enhance the ability of the company to create value over the long term. Sustainability accounting reflects the governance and management of a company’s environmental and social impacts arising from production of goods and services, as well as its governance and management of the environmental and social capitals necessary to create long-term value. The SASB also refers to sustainability as “ESG” (environmental, social, and governance), though traditional corporate governance issues such as board composition are not included within the scope of the SASB’s standards-setting activities. SASB standards are designed to identify a minimum set of sustainability issues most likely to impact the operating performance or financial condition of the typical company in an industry, regardless of location. SASB standards are designed to enable communications on corporate performance on industry-level sustainability issues in a cost-effective and decision-useful manner using existing disclosure and reporting mechanisms. Businesses can use the SASB standards to better identify, manage, and communicate to investors sustainability information that is financially material. Use of the standards can benefit businesses by improving transparency, risk management, and performance. SASB standards can help investors by encouraging reporting that is comparable, consistent, and financially material, thereby enabling investors to make better investment and voting decisions. Overview of SASB Standards The SASB has developed a set of 77 industry-specific sustainability accounting standards (“SASB standards” or “industry standards”), categorized pursuant to SASB’s Sustainable Industry Classification System® (SICS®). Each SASB standard describes the industry that is the subject of the standard, including any assumptions about the predominant business model and industry segments that are included. SASB standards include: 1. Disclosure topics – A minimum set of industry-specific disclosure topics reasonably likely to constitute material information, and a brief description of how management or mismanagement of each topic may affect value creation. 2. Accounting metrics – A set of quantitative and/or qualitative accounting metrics intended to measure performance on each topic. 3. Technical protocols – Each accounting metric is accompanied by a technical protocol that provides guidance on definitions, scope, implementation, compilation, and presentation, all of which are intended to constitute suitable criteria for third-party assurance. 4. Activity metrics – A set of metrics that quantify the scale of a company’s business and are intended for use in conjunction with accounting metrics to normalize data and facilitate comparison. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 4 Furthermore, the SASB Standards Application Guidance establishes guidance applicable to the use of all industry standards and is considered part of the standards. Unless otherwise specified in the technical protocols contained in the industry standards, the guidance in the SASB Standards Application Guidance applies to the definitions, scope, implementation, compilation, and presentation of the metrics in the industry standards. The SASB Conceptual Framework sets out the basic concepts, principles, definitions, and objectives that guide the Standards Board in its approach to setting standards for sustainability accounting. The SASB Rules of Procedure is focused on the governance processes and practices for standards setting. Use of the Standards SASB standards are intended for use in communications to investors regarding sustainability issues that are likely to impact corporate ability to create value over the long term. Use of SASB standards is voluntary. A company determines which standard(s) is relevant to the company, which disclosure topics are financially material to its business, and which associated metrics to report, taking relevant legal requirements into account1. In general, a company would use the SASB standard specific to its primary industry as identified in SICS® . However, companies with substantial business in multiple SICS® industries can consider reporting on these additional SASB industry standards. It is up to a company to determine the means by which it reports SASB information to investors. One benefit of using SASB standards may be achieving regulatory compliance in some markets. Other investor communications using SASB information could be sustainability reports, integrated reports, websites, or annual reports to shareholders. There is no guarantee that SASB standards address all financially material sustainability risks or opportunities unique to a company’s business model. Industry Description The Telecommunication Services industry consists of wireless and wireline telecommunications companies, as well as companies that provide cable and satellite services. The wireless services segment provides direct communication through radio-based cellular networks and operates and maintains the associated switching and transmission facilities. The wireline segment provides local and long distance voice communication via the Public Switched Telephone Network. Wireline carriers also offer voice over internet protocol (VoIP) telephone, television, and broadband internet services over an expanding network of fiber optic cables. Cable providers distribute television programming from cable networks to subscribers. They typically also provide consumers with video services, high-speed internet service, and VoIP. These services are traditionally bundled into packages that provide subscribers with easier payment options than paying for each service separately. Satellite companies distribute TV programming through broadcasting satellites orbiting the Earth or through ground stations. Companies serve customers primarily in their domestic markets, although some companies operate in several countries. 1 Legal Note: SASB standards are not intended to, and indeed cannot, replace any legal or regulatory requirements that may be applicable to a reporting entity’s operations. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 5 SUSTAINABILITY DISCLOSURE TOPICS & ACCOUNTING METRICS Table 1. Sustainability Disclosure Topics & Accounting Metrics UNIT OF TOPIC ACCOUNTING METRIC CATEGORY CODE MEASURE Environmental (1) Total energy consumed, (2) percentage grid Gigajoules (GJ), Footprint of Quantitative TC-TL-130a.1 electricity, (3) percentage renewable Percentage (%) Operations Description of policies and practices relating to Discussion and n/a TC-TL-220a.1 behavioral advertising and customer privacy Analysis Number of customers whose information is Quantitative Number TC-TL-220a.2 used for secondary purposes Total amount of monetary losses as a result of Data Privacy Reporting legal proceedings associated with customer Quantitative TC-TL-220a.3 currency privacy2 (1) Number of law enforcement requests for customer information, (2) number of Number, Quantitative TC-TL-220a.4 customers whose information was requested, Percentage (%) (3) percentage resulting in disclosure (1) Number of data breaches, (2) percentage Number, involving personally identifiable information Quantitative TC-TL-230a.1 Percentage (%) (PII), (3) number of customers affected 3 Data Security Description of approach to identifying and Discussion and addressing data security risks, including use of n/a TC-TL-230a.2 Analysis third-party cybersecurity standards (1) Materials recovered through take back Product End-of- programs, percentage of recovered materials Metric tons (t), life Quantitative TC-TL-440a.1 that were (2) reused, (3) recycled, and (4) Percentage (%) Management landfilled Total amount of monetary losses as a result of Reporting legal proceedings associated with anti- Quantitative TC-TL-520a.1 currency competitive behavior regulations4 Competitive Average actual sustained download speed of Megabits per Behavior & (1) owned and commercially-associated Quantitative TC-TL-520a.2 second (Mbps) Open Internet content and (2) non-associated content Description of risks and opportunities Discussion and associated with net neutrality, paid peering, n/a TC-TL-520a.3 Analysis zero rating, and related practices Managing Disruptions per (1) System average interruption frequency and Systemic Risks Quantitative customer, Hours TC-TL-550a.1 (2) customer average interruption duration5 from per customer 2 Note to TC-TL-220a.3 – The entity shall briefly describe the nature, context, and any corrective actions taken as a result of the monetary losses. 3 Note to TC-TL-230a.1 – Disclosure shall include a description of corrective actions implemented in response to data breaches. 4 Note to TC-TL-520a.1 – The entity shall briefly describe the nature, context, and any corrective actions taken as a result of the monetary losses. 5 Note to TC-TL-550a.1 – Disclosure shall include a description of each significant performance issue or service disruption and any SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 6 UNIT OF TOPIC ACCOUNTING METRIC CATEGORY CODE MEASURE Technology Discussion of systems to provide unimpeded Discussion and n/a TC-TL-550a.2 Disruptions service during service interruptions Analysis Table 2. Activity Metrics UNIT OF ACTIVITY METRIC CATEGORY CODE MEASURE Number of wireless subscribers6 Quantitative Number TC-TL-000.A Number of wireline subscribers7 Quantitative Number TC-TL-000.B Number of broadband subscribers8 Quantitative Number TC-TL-000.C Network traffic Quantitative Petabytes TC-TL-000.D corrective actions taken to prevent future disruptions. 6 Note to TC-TL-000.A – Wireless subscribers are defined as those customers that contract with the entity for mobile services, which include cellular phone service and/or wireless data service. 7 Note to TC-TL-000.B – Wireline subscribers are defined as those customers that contract with the entity for fixed line phone services. 8 Note to TC-TL-000.C – Broadband subscribers are defined as those customers that contract with the entity for fixed line cable and internet services, which include WiFi connections. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 7 Environmental Footprint of Operations Topic Summary Individual telecommunication services companies consume substantial amounts of energy. Depending on the source of energy and the efficiency of its generation, electricity consumption by telecom network infrastructure can contribute significantly to environmental externalities, such as climate change, creating sustainability risks for the industry. Although network equipment and data centers are becoming more energy-efficient, their overall energy consumption is increasing with the expansion in telecommunications infrastructure and data traffic. The way in which telecommunication services companies manage their overall energy efficiency or intensity, their reliance on different types of energy, and their ability to access alternative sources of energy will become increasingly material as the global regulatory focus on climate change increases, bringing with it incentives for energy efficiency and renewable energy as well as pricing of greenhouse gas emissions (GHG). Since expenditures on energy can be significant in the industry, companies that are able to improve the energy-efficiency of their operation are likely to see cost savings and higher profit margins. Accounting Metrics TC-TL-130a.1. (1) Total energy consumed, (2) percentage grid electricity, (3) percentage renewable 1 The entity shall disclose (1) the total amount of energy it consumed as an aggregate figure, in gigajoules (GJ). 1.1 The scope of energy consumption includes energy from all sources, including energy purchased from sources external to the entity and energy produced by the entity itself (self-generated). For example, direct fuel usage, purchased electricity, and heating, cooling, and steam energy are all included within the scope of energy consumption. 1.2 The scope of energy consumption includes only energy directly consumed by the entity during the reporting period. 1.3 In calculating energy consumption from fuels and biofuels, the entity shall use higher heating values (HHV), also known as gross calorific values (GCV), which are directly measured or taken from the Intergovernmental Panel on Climate Change (IPCC), the U.S. Department of Energy (DOE), or the U.S. Energy Information Administration (EIA). 2 The entity shall disclose (2) the percentage of energy it consumed that was supplied from grid electricity. 2.1 The percentage shall be calculated as purchased grid electricity consumption divided by total energy consumption. 3 The entity shall disclose (3) the percentage of energy it consumed that is renewable energy. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 8 3.1 Renewable energy is defined as energy from sources that are replenished at a rate greater than or equal to their rate of depletion, such as geothermal, wind, solar, hydro, and biomass. 3.2 The percentage shall be calculated as renewable energy consumption divided by total energy consumption. 3.3 The scope of renewable energy includes renewable fuel the entity consumed, renewable energy the entity directly produced, and renewable energy the entity purchased, if purchased through a renewable power purchase agreement (PPA) that explicitly includes renewable energy certificates (RECs) or Guarantees of Origin (GOs), a Green‐e Energy Certified utility or supplier program, or other green power products that explicitly include RECs or GOs, or for which Green‐e Energy Certified RECs are paired with grid electricity. 3.3.1 For any renewable electricity generated on-site, any RECs and GOs must be retained (i.e., not sold) and retired or cancelled on behalf of the entity in order for the entity to claim them as renewable energy. 3.3.2 For renewable PPAs and green power products, the agreement must explicitly include and convey that RECs and GOs be retained or replaced and retired or cancelled on behalf of the entity in order for the entity to claim them as renewable energy. 3.3.3 The renewable portion of the electricity grid mix that is outside of the control or influence of the entity is excluded from the scope of renewable energy. 3.4 For the purposes of this disclosure, the scope of renewable energy from hydro and biomass sources is limited to the following: 3.4.1 Energy from hydro sources is limited to those that are certified by the Low Impact Hydropower Institute or that are eligible for a state Renewable Portfolio Standard; 3.4.2 Energy from biomass sources is limited to materials certified to a third-party standard (e.g., Forest Stewardship Council, Sustainable Forest Initiative, Programme for the Endorsement of Forest Certification, or American Tree Farm System), materials considered eligible sources of supply according to the Green-e Framework for Renewable Energy Certification, Version 1.0 (2017) or Green-e regional standards, and/or materials that are eligible for an applicable state renewable portfolio standard. 4 The entity shall apply conversion factors consistently for all data reported under this disclosure, such as the use of HHVs for fuel usage (including biofuels) and conversion of kilowatt hours (kWh) to GJ (for energy data including electricity from solar or wind energy). 5 The entity may disclose the trailing twelve-month (TTM) weighted average power usage effectiveness (PUE) for its data centers. 5.1 PUE is defined as the ratio of the total amount of power used by a computer data center facility to the amount of power delivered to computing equipment. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 9 5.2 If disclosing PUE, the entity shall follow the guidance and calculation methodology described in PUE™: A Comprehensive Examination of the Metric (2014), published by ASHRAE and The Green Grid Association. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 10 Data Privacy Topic Summary As customers pay increased attention to privacy issues surrounding cell phone, internet, and email services, telecommunication services companies will have to implement strong management practices and guidelines related to their use of customer data. Telecommunication services companies use growing volumes of customer location, web browsing, and demographic data to improve their services as well as to generate revenue by selling such data to third parties. Growing public concern about privacy has led to increased regulatory scrutiny over the use, collection, and sale of consumer data. These trends are increasing the importance to telecommunication services companies of adopting and communicating in a transparent manner policies about providing customer data to third parties, including the amount and type of data provided and the nature of its use (for example, use for commercial purposes). Additionally, telecommunication services companies receive, and must determine whether to comply with, government requests for customer information. Companies in the industry that fail to manage performance in this area are susceptible to decreased revenues as a result of lost consumer confidence and churn, as well as to financial impacts stemming from legal exposures. Accounting Metrics TC-TL-220a.1. Description of policies and practices relating to behavioral advertising and customer privacy 1 The entity shall describe the nature, scope, and implementation of its policies and practices related to customer privacy, with a specific focus on how it addresses the collection, usage, and retention of customer information. 1.1 Customer information includes information that pertains to a customer’s attributes or actions, including but not limited to, account statements, transaction records, records of communications, content of communications, demographic data, behavioral data, location data, and/or personally identifiable information (PII). 1.1.1 Demographic data are defined as the quantifiable statistics that identify and distinguish a given population. Examples of demographic data include gender, age, race/ethnicity, knowledge of languages, disabilities, mobility, home ownership, and employment status. 1.1.2 Behavioral data are defined as the product of tracking, measuring, and recording individual behaviors, such as online browsing patterns, buying habits, brand preferences, and product usage patterns. 1.1.3 Location data are defined as data describing the physical location or movement patterns of an individual, such as Global Positioning System (GPS) coordinates or other related data that would enable identifying and tracking an individual’s physical location. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 11 1.1.4 PII is defined as any information about an individual that is maintained by an entity, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security Number (SSN), date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. This definition is derived from the U.S. Government Accountability Office’s Report to Congressional Requesters, Alternatives Exist for Enhancing Protection of Personally Identifiable Information . 2 The entity shall describe the information “lifecycle” (i.e., collection, usage, retention, processing, disclosure, and destruction of information) and how information-handling practices at each stage may affect individuals’ privacy. 2.1 With respect to data collection, it may be relevant for the entity to discuss which data or types of data are collected without the consent of an individual, which require opt-in consent, and which require opt-out action from the individual. 2.2 With respect to usage of data, it may be relevant for the entity to discuss which data or types of data are used by the entity internally, and under which circumstances the entity shares, sells, rents, or otherwise distributes data or information to third-parties. 2.3 With respect to retention, it may be relevant for the entity to discuss which data or types of data it retains, the length of time of retention, and practices used to ensure that data is stored securely. 3 The entity shall discuss the degree to which its policies and practices address similar issues as those outlined in the U.S. Office of Management and Budget’s “Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (M-03-22),” including use of Privacy Impact Assessments (PIAs). 3.1 A PIA is an analysis of how information is handled that ensures handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; determines the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and examines and evaluates protections and alternative processes for handling information in order to mitigate potential privacy risks. 3.2 As outlined by OMB M-03-22, PIAs must analyze and describe: (a) what information is to be collected, (b) why the information is being collected, (c) the intended use of the information, (d) with whom the information will be shared, (e) what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), including how individuals can grant consent, and (f) how the information will be secured, among other government-specific requirements. 4 The entity shall discuss how its policies and practices related to privacy of customer information address children’s privacy, which at a minimum includes the provisions of the U.S. Children’s Online Privacy Protection Act (COPPA). SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 12 5 The scope of disclosure includes both first- and third-party advertising. 6 With respect to behavioral advertising, the entity may describe how it addresses the following principles, described by the cross-industry Self-Regulatory Principles for Online Behavioral Advertising: 6.1 Education: participation in educational efforts for consumers about behavioral online advertising 6.2 Transparency: clearly disclosing information about data collection and data use practices 6.3 Consumer control: allowing customers to choose whether data is collected or transferred to non-affiliates 6.4 Data security: providing basic security provisions and having clear policies relating to retention of customer information 6.5 Material changes: obtaining consent before applying changes to policies that are less restrictive than existing ones 6.6 Sensitive data: abiding by COPPA, and handling customer data such as financial information, Social Security numbers, and medical information 6.7 Accountability: participation in self-regulatory organizations such as the Direct Marketing Association TC-TL-220a.2. Number of customers whose information is used for secondary purposes 1 The entity shall disclose the number of unique customers whose information is used for secondary purposes. 1.1 Customer information includes information that pertains to a customer‘s attributes or actions, including but not limited to, account statements, transaction records, records of communications, content of communications, demographic data, behavioral data, location data, and/or personally identifiable information (PII). 1.1.1 Demographic data are defined as the quantifiable statistics that identify and distinguish a given population. Examples of demographic data include gender, age, race/ethnicity, knowledge of languages, disabilities, mobility, home ownership, and employment status. 1.1.2 Behavioral data are defined as the product of tracking, measuring, and recording individual behaviors such as online browsing patterns, buying habits, brand preferences, and product usage patterns. 1.1.3 Location data are defined as data describing the physical location or movement patterns of an individual, such as Global Positioning System (GPS) coordinates or other related data that would enable identifying and tracking an individual‘s physical location. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 13 1.1.4 PII is defined as any information about an individual that is maintained by an entity, including: (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security Number (SSN), date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. This definition is derived from the U.S. Government Accountability Office’s Report to Congressional Requesters, Alternatives Exist for Enhancing Protection of Personally Identifiable Information . 1.2 Secondary purpose is defined as the intentional use of data by the entity (i.e., not a breach of security) that is outside the primary purpose for which the data was collected. Examples of secondary purposes include, but are not limited to, selling targeted ads, improving the entity’s products or service offerings, and transferring data or information to a third-party through sale, rental, or sharing. 1.3 Customer accounts that the entity cannot verify as belonging to the same individual shall be disclosed separately. 2 The scope of disclosure shall include the customers whose information is used by the entity itself for secondary purposes as well as the customers whose information is provided to affiliates or non-affiliates to use for secondary purposes. 2.1 Affiliate is defined as an entity that directly or indirectly controls, is controlled by, or is under common control with the entity. 2.2 Non-affiliates are all third parties other than the entity and its affiliates. TC-TL-220a.3. Total amount of monetary losses as a result of legal proceedings associated with customer privacy 1 The entity shall disclose the total amount of monetary losses it incurred during the reporting period as a result of legal proceedings associated with incidents relating to customer privacy. 2 The legal proceedings shall include any adjudicative proceeding in which the entity was involved, whether before a court, a regulator, an arbitrator, or otherwise. 3 The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement, or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g., governmental, business, or individual). 4 The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its defense. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 14 5 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant industry regulations, such as: 5.1 California Consumer Privacy Act 5.2 EU Directive 2002/58/EC (ePrivacy Directive) 5.3 EU-U.S. Privacy Shield 5.4 EU’s General Data Protection Regulation (GDPR) (EU) 2016/679 5.5 Japan’s Act on the Protection of Personal Information 5.6 U.S. Children’s Online Privacy Protection Act 5.7 U.S. Federal Trade Commission Privacy Act 6 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant industry regulations promulgated by regional, national, state, and local regulatory authorities, such as: 6.1 European Data Protection Supervisor 6.2 Japan’s Personal Information Protection Commission 6.3 U.S. Federal Trade Commission Note to TC-TL-220a.3 1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, non-prosecution agreement) and context (e.g., unauthorized monitoring, sharing of data, children’s privacy) of all monetary losses as a result of legal proceedings. 2 The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may include, but is not limited to, specific changes in operations, management, processes, products, business partners, training, or technology. TC-TL-220a.4. (1) Number of law enforcement requests for customer information, (2) number of customers whose information was requested, (3) percentage resulting in disclosure 1 The entity shall disclose (1) the total number of unique requests for customer information, including customer content and non-content data, from government or law enforcement agencies. 1.1 Content data includes customer-generated information such as email text or recorded phone conversation. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 15 1.2 Non-content data includes information such as an email address, a person’s name, country of residence, or gender, or system-generated data such as IP addresses and traffic data. 1.3 Both content and non- content data can include personally identifiable information (PII). 1.3.1 PII is defined as any information about an individual that is maintained by an entity, including (a) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security Number (SSN), date and place of birth, mother’s maiden name, or biometric records; and (b) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. This definition is derived from the U.S. Government Accountability Office’s Report to Congressional Requesters, Alternatives Exist for Enhancing Protection of Personally Identifiable Information . 2 The entity shall disclose (2) the total number of unique customers whose information was requested by government or law enforcement agencies. 2.1 The number of records requested shall be calculated as the sum of unique customers whose customer information was requested across all requests for information from government or law enforcement agencies received during the reporting period. 2.1.1 If the entity is not able to verify that two records (i.e., customer information) belong to the same customer, the entity shall consider this two customers. 3 The entity shall disclose (3) the percentage of government and law enforcement requests that resulted in disclosure to the requesting party. 3.1 The percentage shall be calculated as the number of unique requests that resulted in disclosure to the requesting party divided by the total number of unique requests received. 3.2 The scope of requests that resulted in disclosure shall include requests that resulted in full or partial compliance with the disclosure request within the reporting period. 3.3 The scope of requests that resulted in disclosure shall include, but is not limited to, disclosure to the requesting party of aggregated, de-identified, and anonymized data, which is intended to prevent the recipient from reconfiguring the data to identify an individual’s actions or identity. 3.3.1 The entity may discuss whether these characteristics apply to a portion of its data releases if this discussion would provide necessary context for interpretation of the entity disclosure. 4 The entity may additionally break down its disclosure by region or country. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 16 5 The entity may describe its policy for determining whether to comply with a request for customer data, including under what conditions it will release customer data, what requirements must be met in the request, and the level of management approval required. 6 The entity may describe its policy for notifying customers about such requests, including the timing of notification. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 17 Data Security Topic Summary The Telecommunication Services industry is particularly vulnerable to data security threats, as companies manage an increasing volume of customer data, including personally identifiable information, as well as demographic, behavioral, and location data. Recent examples of cyber attacks on critical telecommunications infrastructure illustrate the need for enhanced network security. Inadequate prevention, detection, and remediation of data security threats can influence customer acquisition and retention and result in decreased market share and lower demand for the company’s products. In addition to reputational damage and customer turnover, data breaches can also result in increased expenses, commonly associated with remediation efforts such as identity protection offerings and employee training on data protection. As the providers of critical infrastructure, the ability of companies to combat cyber attacks is likely to affect reputation and brand value, with a long-term impact on market share and revenue growth potential. Therefore, companies that can identify and address data security risks in a timely manner are likely to be in a better position to protect market share and brand value while also reducing risk exposure to cyber attacks. Additionally, new and emerging data security standards and regulations are likely to affect the operating expenses of companies through increased costs of compliance. Accounting Metrics TC-TL-230a.1. (1) Number of data breaches, (2) percentage involving personally identifiable information (PII), (3) number of customers affected 1 The entity shall calculate and disclose (1) the total number of data breaches identified during the reporting period. 1.1 Data breach is defined as the unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information. This definition is derived from the U.S. National Initiative for Cybersecurity Careers and Studies (NICCS) glossary. 1.2 The scope of disclosure is limited to data breaches that resulted in a deviation from the entity’s expected outcomes for confidentiality and/or integrity. 2 The entity shall disclose (2) the percentage of data breaches in which personally identifiable information (PII) was subject to the data breach. 2.1 PII is defined as any information about an individual that is maintained by an entity, including: (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security Number (SSN), date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. This definition is derived from the U.S. Government Accountability Office’s Report to Congressional Requesters, Alternatives Exist for Enhancing Protection of Personally Identifiable Information . SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 18 2.2 The scope of disclosure shall include incidents in which encrypted data were acquired with an encryption key that was also acquired, as well as if there is a reasonable belief that encrypted data could be readily converted to plaintext. 2.2.1 Encryption is defined as the process of transforming plaintext into ciphertext. This definition is derived from the NICCS glossary. 2.3 The scope of disclosure is limited to breaches in which customers were notified of the breach, either as required by law or voluntarily by the entity. 3 The entity shall disclose (3) the total number of unique customers who were affected by data breaches, which includes all those whose personal data was compromised in a data breach. 3.1 Accounts that the entity cannot verify as belonging to the same customer shall be disclosed separately. 4 The entity may delay disclosure if a law enforcement agency has determined that notification impedes a criminal investigation or until the law enforcement agency determines that such notification does not compromise the investigation. Note to TC-TL-230a.1 1 The entity shall describe the corrective actions taken in response to data breaches, such as changes in operations, management, processes, products, business partners, training, or technology. 1.1 The U.S. SEC’s Commission Statement and Guidance on Public Company Cybersecurity Disclosures may provide further guidance on disclosures on the corrective actions taken in response to data breaches. 2 All disclosure shall be sufficient such that it is specific to the risks the entity faces, but disclosure itself will not compromise the entity’s ability to maintain data privacy and security. 3 The entity may disclose its policy for disclosing data breaches to affected customers in a timely manner. TC-TL-230a.2. Description of approach to identifying and addressing data security risks, including use of third-party cybersecurity standards 1 The entity shall describe its approach to identifying vulnerabilities in its information systems that pose a data security risk. 1.1 Vulnerability is defined as a weakness in an information system, system security procedures, internal controls, and/or implementation that could be exploited. 1.2 Data security risk is defined as any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 19 organizations, or nations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. 2 The entity shall describe its approach to addressing data security risks and vulnerabilities it has identified, including, but not limited to, operational procedures, management processes, structure of products, selection of business partners, employee training, and use of technology. 3 The entity shall describe its use of third-party cybersecurity risk management standards. 3.1 Third-party cybersecurity risk management standards are defined as standards, frameworks, and/or guidance developed by a third-party with the explicit purpose of aiding companies in identifying cybersecurity threats, and/or preventing, responding to, and/or remediating cybersecurity incidents. 3.2 Examples of third-party cybersecurity risk management standards include, but are not limited to: 3.2.1 The American Institute of Certified Public Accountants’ (AICPA) Service Organization Controls (SOC) for Cybersecurity 3.2.2 ISACA’s COBIT 5 3.2.3 ISO/IEC 27000-series 3.2.4 National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 3.3 Disclosure shall include, but is not limited to: 3.3.1 Identification of the specific cybersecurity risk management standard(s) that have been implemented or are otherwise in use 3.3.2 Description of the extent of its use of cybersecurity risk management standard(s), such as by applicable operations, business unit, geography, product, or information system 3.3.3 The role of cybersecurity risk management standards in the entity’s overall approach to identifying vulnerabilities in its information systems and addressing data security risks and vulnerabilities 3.3.4 If the third-party verification of the use of cybersecurity risk management standards is conducted, including independent examinations or audits 3.3.5 Ongoing activities and initiatives related to increasing the use of cybersecurity risk management standards, even if such standards are not currently in use 4 The entity may discuss trends it has observed in type, frequency, and origination of attacks to its data security and information systems. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 20 5 The U.S. SEC’s Commission Statement and Guidance on Public Company Cybersecurity Disclosures may provide further guidance on disclosures on the entity’s approach to addressing data security risks and vulnerabilities. 6 All disclosure shall be sufficient such that it is specific to the risks the entity faces but disclosure itself would not compromise the entity‘s ability to maintain data privacy and security. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 21 Product End-of-life Management Topic Summary Due to the rapid obsolescence of communications devices, particularly mobile phones, they represent an increasing proportion of electronic waste (e-waste) going to landfills, driven in part by a low recycling rate. Telecommunication services companies face growing regulatory risks related to this issue. Multiple jurisdictions have implemented e-waste recycling laws mandating that electronics retailers and manufacturers create a system for recycling, reuse, or proper disposal of electronic devices. While many of these laws in their early days covered a limited scope of products, newer laws extend to mobile devices requiring companies to finance the collection, treatment, recycling, or proper disposal of e- waste, as concerns around e-waste from communications devices increase. E-waste laws often require vendors or manufacturers to pay for the recycling of such waste or put in place product take-back and recycling programs. Penalties or costs, due to such laws, together with potential revenues generated from refurbishing and re-selling products, are increasingly providing incentives for companies in the industry to manage end-of-life impacts. Many telecommunication services companies work in partnership with phone manufacturers to bundle telecom services and mobile devices, and therefore have a shared responsibility for end-of-life management of such devices. Their relationship with customers provides an opportunity for effective management of product recycling, reuse, and disposal. Establishing take-back programs to recover end-of-life materials for further reuse, recycling, or remanufacturing can allow companies cost savings and more resilient supply of manufacturing materials. Accounting Metrics TC-TL-440a.1. (1) Materials recovered through take back programs, percentage of recovered materials that were (2) reused, (3) recycled, and (4) landfilled 1 The entity shall disclose (1) the weight, in metric tons, of materials recovered through product take-back programs and recycling services. 1.1 The scope of disclosure shall include products, materials, and parts that are at the end of their useful life and would have otherwise been disposed of as waste or used for energy recovery, but have instead been collected. 1.2 The scope of disclosure shall include both materials physically handled by the entity and materials of which the entity does not take physical possession, but for which it has contracted with a third party the task of collection for the expressed purpose of reuse, recycling, or refurbishment. 1.3 The scope of disclosure excludes products and parts that are in-warranty and have been collected for repairs. 2 The entity shall disclose (2) the percentage of materials recovered that were reused. 2.1 Reused materials are defined as those recovered products or components of products that are used, or are intended to be used in the future, by the entity or by a third-party for their originally intended purpose. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 22 2.2 Percentage shall be calculated as the weight of the recovered materials that were reused divided by the total weight of all recovered materials. 2.3 The scope of reused materials includes products donated and/or refurbished by the entity or third parties. 2.4 The scope of disclosure includes reuse by the entity or by third-parties through direct contract with the entity. 3 The entity shall disclose (3) the percentage of materials recovered that were recycled or remanufactured. 3.1 Recycled and remanufactured materials are defined as materials that have been reprocessed or treated by means of a production or manufacturing process and made into a final product or made into a component for incorporation into a product. 3.2 Percentage shall be calculated as the weight of the recovered materials that were recycled or remanufactured divided by the total weight of all recovered materials. 3.3 The scope of disclosure includes recycling conducted by the entity or by third parties through direct contract with the entity. 3.4 Portions of products and materials that are disposed of in landfills are not considered recycled; only the portions of products that are directly incorporated into new products, co-products, or by-products shall be included in the percentage recycled. 3.5 Materials incinerated, including for energy recovery are not considered recycled. 3.5.1 Energy recovery is defined as the use of combustible waste as a means to generate energy through direct incineration with or without other waste but with recovery of the heat. 4 The entity shall disclose (4) the percentage of materials recovered that were landfilled. 4.1 Percentage shall be calculated as the weight of the recovered materials that were landfilled divided by the total weight of all recovered materials. 5 Electronic waste material (e-waste) shall be considered recycled only if the entity can demonstrate that this material was transferred to entities with third-party certification to a standard for e-waste recycling such as Basel Action Network’s e-Steward® standard or the U.S. EPA’s Responsible Recycling Practices (R2) standard. 5.1 The entity shall disclose the standard(s) to which the entities it has transferred e-waste are compliant. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 23 Competitive Behavior & Open Internet Topic Summary The Telecommunication Services industry contains classic examples of natural monopolies, where high capital costs can allow them to offer the most efficient production. Given the concentrated nature of telecommunications, cable, and satellite companies, they must manage their growth strategies within the parameters of a regulatory landscape designed to ensure competition. In addition to natural monopoly, many companies in this industry benefit from terminal access monopolies over the so-called “last-mile” of their networks, given their contractual relationship with each subscriber and the barriers for subscribers to change service providers. The nature of this relationship is the basis of much of the discussion around the need to protect an Open Internet, where all data on the Internet is treated equally in terms of performance and access. The industry faces ongoing legislative and regulatory actions aimed at ensuring competition, which could limit the market share and growth potential of some larger players. Merger and acquisition activity by dominant market players has come under regulatory scrutiny. This has resulted in companies abandoning plans to consolidate, affecting their value. Strong reliance on market dominance can also be a source of risk if companies are vulnerable to legal challenges, increasing their risk profile and cost of capital. Accounting Metrics TC-TL-520a.1. Total amount of monetary losses as a result of legal proceedings associated with anti-competitive behavior regulations 1 The entity shall disclose the total amount of monetary losses it incurred during the reporting period as a result of legal proceedings associated with anti-competitive behavior, including, but not limited to, price fixing, anti-trust behavior (e.g., exclusivity contracts), patent misuse, or network effects and bundling of services and products to limit competition. 2 The legal proceedings shall include any adjudicative proceeding in which the entity was involved, whether before a court, a regulator, an arbitrator, or otherwise. 3 The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement, or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g., governmental, business, or individual). 4 The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its defense. 5 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant regulations, such as: SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 24 5.1 Articles 101 to 109 of the Treaty on the Functioning of the European Union 5.2 Japan’s Act on Prohibition of Private Monopolization and Maintenance of Fair Trade 5.3 The U.S. Clayton Antitrust Act of 1914 5.4 The U.S. Federal Trade Commission Act of 1914 5.5 The U.S. Sherman Antitrust Act of 1890 6 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant industry regulations promulgated by regional, national, state, and local regulatory authorities, such as: 6.1 Japan Fair Trade Commission 6.2 U.S. Federal Trade Commission Note to TC-TL-520a.1 1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, non-prosecution agreement) and context (e.g., price fixing, patent misuse, anti-trust) of all monetary losses as a result of legal proceedings. 2 The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may include, but is not limited to, specific changes in operations, management, processes, products, business partners, training, or technology. TC-TL-520a.2. Average actual sustained download speed of (1) owned and commercially-associated content and (2) non-associated content 1 The entity shall disclose its average actual sustained download speed in Megabits per second (Mbps), for delivery of (1) owned and commercially-associated content and (2) non-associated content. 1.1 Actual sustained download speed is defined as throughput, in Mbps, utilizing three concurrent TCP connections measured at the 25-30 second interval of a sustained data transfer, consistent with the U.S. Federal Communications Commission's (FCC) Measuring Broadband America program. 1.1.1 The entity shall disclose its methodology for measuring download speed, such as the time period over which the test was conducted, sample size, whether it reflects peak versus non-peak speeds, whether the measurement isolates the effects of transient performance-enhancing features (e.g., throttling or “burst” speeds), and limits on accuracy. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 25 1.2 Owned and commercially-associated content is defined as content that is owned the by entity directly, such as content created through media-production business segments of the entity, its parent, or its subsidiaries, and content that is owned by companies with whom the entity has commercial agreements, such as pay-for- priority agreements or content delivery network peering agreements. 1.3 Non-associated content is defined as any content that is not owned by or commercially-associated with the entity, as described above. 2 The average actual sustained download speed is calculated as the sales-weighted aggregate of average actual sustained download speeds of each tier of service on a per-user account basis (i.e., weighted by number of user accounts in each tier of service, not actual usage). 3 The entity may disclose its average advertised download speed. 3.1 Average advertised download speed is defined as the download speed advertised for each user account based on the speed of the account type. 3.2 The average advertised speed is calculated as the average of monthly advertised download speeds on a sales- weighted user account basis (i.e., weighted by number of user accounts, not actual usage). TC-TL-520a.3. Description of risks and opportunities associated with net neutrality, paid peering, zero rating, and related practices 1 The entity shall describe risks and opportunities associated with rules and regulations addressing net neutrality and open internet. 1.1 Net neutrality and open internet refers to principles that would prevent behavior that harms consumers or competition by limiting the openness of the Internet, as aligned with the U.S. Federal Communications Commission's (FCC) Title 47 – Telecommunications, Part 8 – Preserving the Open Internet. 1.1.1 Transparency: That all internet service providers (ISPs) must transparently disclose to their subscribers and users all relevant information as to the policies that govern their network. 1.1.2 No Blocking: That no legal content may be blocked. 1.1.3 No Unreasonable Discrimination: That ISPs may not act in a commercially unreasonable manner to harm the Internet, including favoring the traffic from an affiliated entity. 1.2 The scope of disclosure includes, but is not limited to, the reclassification of ISPs as common carriers under Title II of the Communications Act of 1934, or the use of Section 706 of the Telecommunications Act of 1996 to regulate ISPs. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 26 1.3 The scope of risks includes, but is not limited to, potential limitations on an entity’s ability to deliver its own content, increased competition from edge providers that stream content, reputational harm with consumers, and/or possible restrictions on an entity’s ability to generate new revenue streams from peering and pay-for- priority agreements or earn capital needed to support a growing and evolving broadband infrastructure. 1.4 The scope of opportunities includes, but is not limited to, growth in delivery of owned and affiliated content, increased market penetration, and/or improved advertising revenues. 2 The entity shall discuss its policies for engagement in paid peering agreements and settlement-free peering agreements. 2.1 Peering agreement is defined as an arrangement whereby one Internet operation connects directly to another so that the two can trade traffic. 3 The entity shall discuss its policies for engagement in zero-rating. 3.1 Zero-rating is defined as an arrangement wherein customer data usage is not billed nor counted toward any customer data plan limit if they are accessing certain content affiliated with the mobile network operator or internet service provider. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 27 Managing Systemic Risks from Technology Disruptions Topic Summary Given the systemic importance of telecommunications networks, systemic or economy-wide disruption may be created if the network infrastructure of telecommunication services companies is unreliable and prone to business continuity risks. As the frequency of extreme weather events associated with climate change increases, telecommunication services companies will face growing physical threats to network infrastructure, with potentially significant social or systemic impacts. In the absence of resilient and reliable infrastructure, companies may face lost revenue associated with service outages and unplanned capital expenditures to repair damaged or compromised equipment. Companies that successfully implement measures to address business continuity risks, including an identification of critical business operations, or to enhance resilience of the system are likely to substantially reduce their risk exposure and, hence, lower their cost of capital. While implementation of such measures may have upfront costs, companies are likely to see long-term benefits in terms of lower remediation expenses in cases of high-impact disruptions. Accounting Metrics TC-TL-550a.1. (1) System average interruption frequency and (2) customer average interruption duration 1 The entity shall disclose (1) system average interruption frequency as the average number of disruptions per customer. 1.1 Average interruption frequency shall be calculated as the total number of customer interruptions divided by the total number of customers served. 1.1.1 The number of customer interruptions is the sum for all interruptions of the number of customer accounts that experienced an interruption in service during each incident (i.e., counting customer accounts multiple times if they experienced multiple service interruptions throughout the year). 1.1.2 The number of customers served is the number of unique customer accounts with active service during the reporting period. 2 The entity shall disclose (2) customer average interruption duration as the average number of hours per customer. 2.1 Average interruption duration shall be calculated as the sum for all interruptions of the total downtime (in hours) of each interruption divided by the number of customer accounts affected by each interruption. 2.1.1 The number of customers served is the number of unique customer accounts with active service during the reporting period. 3 The scope of disclosure is restricted to: SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 28 3.1 Wireline communications services 3.2 Wireless communications services 3.3 Internet service provider (ISP) services Note to TC-TL-550a.1 1 For each significant service interruption, the entity shall disclose the duration of the disruption, the extent of impact, and the root cause, as well as any corrective actions taken to prevent future disruptions. 1.1 Where relevant, the entity shall indicate costs incurred, such as those due to organizational change, training, or technology expenditures required for remediation, lost revenues, payment of warranties, or cost associated with breach of contract. 1.2 A service interruption is considered significant if it is meets the thresholds set forth in Part 4 of the U.S. Federal Communication Commission’s (FCC) rules (47 C.F.R. Part 4) for reporting as part of the Network Outage Reporting System (NORS). TC-TL-550a.2. Discussion of systems to provide unimpeded service during service interruptions 1 The entity shall discuss business continuity risks associated with technology disruptions affecting operations. 1.1 Examples of disruptions include, but are not limited to, those caused by technical failures, programming errors, cyber attacks, weather events, or natural disasters at hosting facilities. . 2 The entity shall discuss measures to address business continuity risks, including an identification of critical business operations and redundancies or other measures implemented to enhance resilience of the system or to reduce impact, including insurance against loss. 3 The entity may discuss estimated amount of potential loss, probability of that loss, and the associated timeframe. These estimates may be based on insurance figures or other third-party or internal assessments of potential loss. SUSTAINABILITY ACCOUNTING STANDARD | TELECOMMUNICATION SERVICES | 29 SUSTAINABILITY ACCOUNTING STANDARDS BOARD 1045 Sansome Street, Suite 450 San Francisco, CA 94111 415.830.9220 info@sasb.org sasb.org