When people think about corporate sustainability, the word “green” is very likely to spring to mind.
To be sure, organizations like the United Nations think that corporate sustainability reports should include information about human rights issues, labor relations and corporate governance. Nevertheless, carbon footprints and other metrics of environmental performance have dominated the field.
But issues related to information technology — the need to deter cyber-attacks, to preserve freedom of expression (as dramatized by the Snowden affair) and to balance businesses’ aggregation of Big Data with customer privacy concerns — are becoming a bigger part of the sustainability picture. At minimum, these issues are the substance of a new set of voluntary standards slated to be issued April 2 by the Sustainability Accounting Standards Board.
These new sustainability accounting standards are for the IT and communications sectors, including the computer hardware, electronic manufacturing services, software and IT services, and Internet media industries. Yet SASB’s analyses can serve many other kinds of companies as a way to gaze into the future.
Sustaining the Corporation
How is a company’s use and abuse of data a measure of sustainability? “Fundamentally, they’re issues related to sustaining the corporation and to the corporation’s interests being aligned with those of society — and to not violating the trust [its] customers place in [it],” says Jean Rogers, founder and executive director of SASB.
High-flown as that explanation sounds, the technology and communications standards, like SASB’s other industry standards, will have to be supported by hard data in the 10-K. (With the issuance of the tech standards and previous introductions of health care and financial sector standards, SASB will have put forth strictures for three of the 10 sectors on its agenda, which encompasses 80 industries.)
Within SASB’s taxonomy, data issues in the tech sector fall under the sustainability category of “social capital,” which SASB defines as “the expectation of business contribution to society in return for its social license to operate.” Further, issues of data privacy and freedom of expression and data security loom large in three of the six tech industries: software and IT services, Internet media and services, and telecommunications.
You might not think that corporate performance in data privacy and freedom of expression is all that quantifiable. Yet SASB plans to ask software and IT services companies for numeric measurements in three out of five categories.
Addressing widespread customer outcries about the use of their geographic information for marketing purposes, SASB will likely ask companies to report in their 10-Ks the percentage of users whose data is gathered for secondary reasons and the percentage of users who have opted in to that arrangement.
SASB also plans to ask software and IT vendors to report dollar amounts of legal and regulatory fines linked to customer privacy. Corporate adopters are also likely to be asked to supply the number of government or law-enforcement requests for customer information, plus the percentage of those resulting in disclosure.
Another metric, addressing data security, would ask a company to report the number of data breaches and the percentage of those that involve customers’ personally identifiable information.
Boilerplate Reporting
In general, while the tech sector is at the forefront of sustainability reporting, says Rogers, it has two shortcomings. One is that such companies tend to supply boilerplate environmental, social and governance information in their 10-Ks, rather than more useful, specific information.
In a briefing SASB gave for the Securities and Exchange Commission earlier this month, the standard setter provided an example of mere boilerplate language regarding data-privacy disclosure from the 2012 10-K filed by Cognizant Technology Solutions: “We are also subject to systems failures, including network, software or hardware failures, whether caused by us, third-party service providers, cybersecurity threats, natural disasters, power shortages, terrorist attacks or other events, which could cause loss of data and interruptions or delays in our business, cause us to incur remediation costs, subject us to claims and damage our reputation.”
In contrast, the board found this filing on data privacy from Facebook’s 2013 10-K preferable because it’s more industry specific: “We continue to build new procedural safeguards as part of our comprehensive privacy program. These include a dedicated team of privacy professionals who are involved in new product and feature development from design through launch; ongoing review and monitoring of the way data is handled by existing features and applications; and rigorous data security practices. We regularly work with online privacy and safety experts and regulators around the world. In August 2012, the Federal Trade Commission formally approved a 20-year settlement agreement requiring us to enhance our privacy program and to complete biennial third-party assessments.”
Rogers also says that tech company sustainability reporting outside the purview of the CFO tends to play fast and loose with the definition of “material.” Microsoft, Google, HP, Dell and almost all large companies in this sector provide corporate social responsibility reports that aren’t mandatory and not synced up with the 10-K, according to the SASB founder.
Although such reports tend to be produced by communications officials rather than finance executives, they tend to include such phrases as “material issues” or “material factors,” according to Rogers. But the concept of materiality has a very specific meaning in financial reporting.
“One thing these companies are starting to realize is that if they use those words, they should really mean it,” says Rogers. “They should call it ‘interesting’ or ‘relevant,’ but not really ‘material’ outside of the 10-K.”