Sustainability Accounting Standards Board (SASB) Index

• U.S.: 241.532 million
• Mexico: 22.316 million

• Network access lines: 4.185 million
• U-verse Voice over Internet Protocol connections: 2.558 million

Global broadband subscribers: 15.228 million

Please see our Q4 2023 Earnings Statement.

• Percentage on cellular network
• Percentage on fixed network

• Total energy consumed (Gigajoules):
• Percentage grid electricity
• Percentage renewable energy
• Data center Power Usage Effectiveness

• Total energy consumed: 15,266,708 MWh
• Percentage grid electricity: 97.8%
• Percent renewable energy: 25.7%
• Data center Power Usage Effectiveness: 1.62

We continue to be one of the largest corporate purchasers of renewable energy in the United States. AT&T is currently ranked fifth on the Environmental Protection Agency’s Green Power Partnership National Top 100 and fourth in Tech and Telecom.¹

The energy production of our domestic renewable energy portfolio is nearly 3 million MWh annually, with more than 3,000 MWh coming from on-site sources.² Most of our renewable energy comes from off-site solar and wind contracts currently in production, along with hydropower received through supply contracts. In 2023, our large-scale renewable energy projects delivered nearly 3.3 million renewable energy credits to help offset our GHG emissions. For more information on AT&T’s energy use and programs, visit our Energy Management issue brief.

Our Privacy Notice explains how we use consumer information and keep it safe. It also outlines the choices consumers can make at any time about how their information is used.

Consumers can access information on our approach to privacy and data use, along with links to privacy choices and security tips, through the AT&T Privacy Center and AT&T Mexico Comprehensive Privacy Notice. In addition, privacy policies and notices for AT&T’s apps and services are accessible within the apps and on the services’ websites. Through these policies, consumers can learn about their choices for opting out of certain data collection and marketing programs, such as behavioral advertising. Our approach to transparency also includes:

• Policy Updates & Questions: As required, we notify consumers when we update our privacy notices and explain the changes via the AT&T Privacy Center website. Consumers can send questions or feedback on our privacy notice and policies, either by emailing privacypolicy@att.com or writing us at AT&T Chief Privacy Office, 208 S. Akard St., Room 2901, Dallas, TX 75202.
• Transparency Report: AT&T publishes a biannual Transparency Report in which we provide comprehensive information about legal demands to which we responded. It includes the number and types of demands, those that were partially or completely rejected, demands for location information, exigent requests and international demands. The AT&T Global Legal Demand Center provides oversight of such demands from law enforcement. This comprehensive, voluntary reporting to the public reflects our commitment to the law and to our privacy principles.
• Consumer Resources: We strive to help consumers learn how to maintain privacy, safety and security in an increasingly connected world. We launched a new online tool to make it easier for consumers to opt out of email marketing and promoted the AT&T ActiveArmor^SM mobile security app to help customers view all their privacy and security resources.

For more information on AT&T’s data protection and security practices, please see our Privacy issue brief.

• Percentage who have opted in

• Number of customers whose information was requested
• Percentage resulting in disclosure

Like all companies, we are required by law to provide information to government and law enforcement entities, as well as parties to civil lawsuits, by complying with court orders, subpoenas, lawful discovery requests and other legal requirements. Twice a year, we issue a Transparency Report listing (1) specific data regarding the number and types of legal demands to which we responded for the prior 6 months that compelled AT&T to provide information about (a) communications or (b) our customers, as well as (2) information permitted by law to be disclosed about Foreign Intelligence Surveillance Act demands. 

The Transparency Report also provides information about legal demands that were partially or completely rejected, and for which no data was provided. AT&T does not currently disclose the number of individual customers whose records were requested. 

• Percentage involving customers’ personally identifiable information
• Number of customers affected

AT&T is not able to provide information on data security breaches, as it is confidential.

We work hard to protect and safeguard the privacy of consumer and employee information. But like all companies, we are faced with attempts to gain unauthorized access to our customers’ or employees’ data. We have an action plan to swiftly respond to these situations: 

• Response Process: The AT&T Incident Response team follows a carefully designed governance structure and response process, investigating suspected breaches and evaluating their potential impact. If we determine that a data breach has occurred, we notify affected consumers and authorities as required by applicable law. We test and improve the incident response process through tabletop exercises and keep up with current data-privacy laws and regulations to ensure our response process remains compliant.
• Oversight: Our Corporate Compliance Office oversees periodic testing of our incident response plans in partnership with stakeholders such as the AT&T Chief Security Office.

We maintain a network and information security program that is reasonably designed to protect our information, and that of our customers, from unauthorized risks to their confidentiality, integrity or availability. Our program encompasses the Chief Security Office and its policies, platforms, procedures and processes for assessing, identifying and managing risks from cybersecurity threats, including third-party risk from vendors and suppliers; and the program is generally designed to identify and respond to security incidents and threats in a timely manager to minimize the loss or compromise of information assets and to facilitate incident resolution.

Our policies align with applicable laws and standards such as:

• Federal Bureau of Investigation Criminal Justice Information Services (CJIS)
• Control Objectives for Information and Related Technology (COBIT)
• Payment Card Industry Data Security Standard (PCI-DSS)
• National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST 800-53r5
• External certification and assessment requirements, such as PCI-DSS, Sarbanes-Oxley Act, SSAE18/ISAE3402 SOC and ISO-27001
• Privacy laws and regulations, such as the California Consumer Privacy Act

AT&T maintains two global ISO/IEC 27001 certifications. The scope of these certifications covers the AT&T global IP infrastructure and certain customer-facing managed services. To maintain the certifications, we undergo annual recertification assessments.

We have also achieved ISO 9001 certification,³ which demonstrates our belief that customer satisfaction and expectations are the most important factors in the work we do. In addition, we undergo other third-party audits, such as those for the PCI-DSS, the Sarbanes-Oxley Act and the Statement on Standards for Attestation Engagements 18/International Standard on Assurance Engagements 3402.

We assess, identify and manage risks from cybersecurity threats through various mechanisms, which from time to time may include tabletop exercises to test our preparedness and incident response process, business unit assessments, control gap analyses, threat modeling, impact analyses, internal audits, external audits, penetration tests and engaging third parties to conduct analyses of our information security program. We conduct vulnerability testing and assess identified vulnerabilities for severity, the potential impact to AT&T and our customers and likelihood of occurrence. We regularly evaluate security controls to maintain their functionality in accordance with security policy. We also obtain cybersecurity threat intelligence from recognized forums, third parties, and other sources as part of our risk assessment process. In addition, as a critical infrastructure entity, we collaborate with numerous agencies in the U.S. government to help protect U.S. communications networks and critical infrastructure which, in turn, informs our cybersecurity threat intelligence.

For details on our managerial approach to security, please see our Network & Data Security issue brief.

• Reused
• Recycled
• Landfilled

• Reused or sold: 88%⁴
• Recycled: 12%⁴
• Landfilled: 0%⁴

We require that all U.S. device recycling and salvage vendors maintain an R2 certification. R2 is a comprehensive global certification awarded to facilities that adhere to the R2 responsible electronics recycling standards, which cover areas such as worker health and safety, environmental protection, chain-of-custody reporting and data security.

AT&T collaborates with peers through the Global System for Mobile Communications Association, which has working groups focused on consumer device and network equipment recycling. In 2023, we also engaged with CTIA working groups to refine the industry standard for used mobile device grading. The goal of this initiative is to scale device reuse through common tools, technology and terminology, ultimately supporting consumer confidence in used and refurbished devices.

For more information, please visit our Product Life Cycle and Waste Management issue briefs.

For fiscal year 2023, AT&T had no material losses related to litigation or to non-appealable regulatory decisions involving anti-competitive behavior.

• Owned and commercially associated content
• Non-associated content

AT&T does not favor certain websites or internet applications by blocking or throttling lawful internet traffic on the basis of content, application, service, user or use of nonharmful devices on its broadband internet access services.

In the provisioning of broadband internet access services, AT&T does not directly or indirectly favor some traffic over other traffic in exchange for consideration from a third party or to benefit an affiliate, except to address the needs of emergency communications, law enforcement, public safety (including FirstNet) or national security authorities, consistent with or as permitted by applicable law.

For more information on our approach to network traffic management, see the AT&T Broadband Information: Network Practices webpage. For information on the expected and actual performance of our wireline and mobility network services, see the AT&T Broadband Information: Performance Characteristics webpage.

• System average interruption frequency
• System average interruption duration
• Customer average interruption duration

• System average interruption frequency: 0.0531
• System average interruption duration: 2.4907
• Customer average interruption duration: 46.8953

• System average interruption frequency = total unplanned interruptions/total customer ports
• System average interruption duration (in minutes) = total unplanned interruption duration/total customer ports 
• Customer average interruption duration (in minutes) = total unplanned interruption duration/total unplanned interruptions

Our Network teams collect billions of service-assurance measurements across our wireline and wireless networks every hour, analyzing this data in near-real time to help improve performance and deliver our best customer experience.

The AT&T Business Continuity Management Program includes management disciplines, processes and techniques to support our employees and critical business operations in the event of a significant business disruption, with a focus on maintaining delivery of customer services, including during climate-related events, certified to international business continuity standard ISO 22301:2021. It is also aligned with the Disaster Recovery Institute International Professional Practices, Business Continuity Institute Good Practice Guidelines, Federal Emergency Management Agency National Incident Management System and ISO 31000. Our alignment with these standards indicates our readiness to resume business operations and deliver customer service in the vital hours and days after a disaster. 

We continue to invest in our Network Disaster Recovery Program, which exists to rapidly restore connectivity to areas affected by disasters. In the event of a disaster or other emergency, we implement procedures to quickly restore network functionality, provide critical resources to impacted employees, field customer inquiries and return or establish service in impacted communities.

For additional details on our managerial approach, please see our Network Quality & Reliability and Network & Data Security issue briefs and our Network Practices website.