A post-Dobbs decision shareholder proposal at Laboratory Corporation of America from Tara Health Foundation, calling on the company to report on known risks of fulfilling information requests and mitigation strategies for providing information connected to enforcement of anti-abortion laws and the company’s response:
Proposal Seven: Request for a Board Report on Known Risks of Fulfilling Information Requests and Mitigation Strategies
WHEREAS: Following the revocation of the constitutional right to an abortion in June 2022, federal policymakers and legislators have become concerned about the use of personal digital data for the enforcement of state laws that ban or limit abortion access. Congress is currently considering bills that would increase privacy protections for personal reproductive health information. California now requires out-of-state law enforcement seeking personal data from California corporations to attest that the investigation does not involve any crime concerning an abortion that is lawful in California.
Law enforcement frequently relies on digital consumer data. While LabCorp does not publicly report figures on law enforcement requests compliance, Alphabet and Meta alone collectively received around 110,000 requests in the second half of 2021, and each complied with about 80% of those requests.1 In 2022, Meta satisfied a Nebraska police warrant for private Facebook messages from a defendant facing felony charges for allegedly helping her daughter terminate a pregnancy,2 to significant negative press.
LabCorp collects sensitive consumer information such as personal health data, internet activity, and commercial information. Shareholders are concerned that such data will be accessed without consumer consent by states that criminalize abortion. Indeed, the Company’s privacy policies allow LabCorp to disclose personal consumer information “in response to duly authorized information requests of any law enforcement agency.”3 However, such requests may seek evidence of consumer acts that are inappropriate for LabCorp to voluntarily share – for example, a customer’s activities that were legal in the state where they occurred, such as laboratory testing related to an abortion.
Since LabCorp collects and stores digital consumer data, the Company is not immune to abortion-related law enforcement requests that may create significant reputational, financial, and legal risks. LabCorp is already complying with “deletion rights” under California law, wherein consumers may request that the Company delete collected personal data that is not legally required to retain. Accordingly, there is a strong brand benefit to upholding and increasing longstanding consumer privacy expectations.
RESOLVED: Shareholders request that our Board issue a public report detailing any known and potential risks and costs to the Company of fulfilling information requests relating to LabCorp customers for the enforcement of state laws criminalizing abortion access, and setting forth any strategies beyond legal compliance that the Company may deploy to minimize or mitigate these risks. The report should be produced at reasonable expense, exclude proprietary or legally privileged information, and be published within one year of the annual meeting.
SUPPORTING STATEMENT: Shareholders recommend, at board and management discretion, that input from reproductive rights and civil liberties organizations be solicited and reflected in the report, and that the report contain:
|2.||An evaluation of the benefits of notifying consumers about law enforcement information requests regarding their data prior to, and with sufficient time for consumer response before complying with any such request.|
The Board unanimously recommends that shareholders vote “AGAINST” this proposal.
Labcorp’s Board of Directors has carefully reviewed and considered the above proposal and unanimously recommends a vote AGAINST this proposal. The Board believes that the report requested by the proposal would not be in the best interests of the Company or the shareholders. While the proposal specifically requests a report on risks related to fulfilling information requests related to state laws criminalizing abortion access, it is fundamentally about privacy. The Company has a program in place designed to protect patient privacy and that aligns with federal and rapidly evolving state law requirements. The requested report would not enhance the Company’s program to comply with applicable privacy laws and regulations, reduce the risks the Company faces with respect to compliance with privacy laws or provide any additional privacy protections. The report and the extensive level of detail requested by the proposal would result in an unnecessary and burdensome expenditure of Company resources and attention.
Labcorp has systems and processes that are designed to comply with applicable privacy laws and regulations, an area that is regulated in the US by many federal and state laws and regulations.
Privacy and the protection of patient records is a top priority for Labcorp. The Company operates in a heavily regulated industry and is subject to numerous data protection laws that govern privacy, security, use, and disclosure of personal information. The Company has systems and processes that are designed to protect personal information in accordance with contractual commitments, ethical standards, and all applicable laws in the jurisdictions in which the Company does business, including, but not limited to, the federal privacy regulations issued under the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
In the U.S. the Company is required to comply with federal privacy and security regulations as well as varying state privacy and security laws. These laws often regulate and restrict the collection, use, and disclosure of medical information and are subject to enforcement and interpretations by various governmental authorities and courts. Penalties for violation of these laws may include sanctions against a laboratory’s licensure, debarment from participation in certain programs, and civil and/or criminal penalties. As a result, the Company has implemented robust policies and procedures designed to ensure compliance with the full range of applicable privacy and security requirements, including HIPAA.
The preparation and publication of the requested report would create an undue burden and incur an unnecessary cost to the Company and the shareholders.
The breadth of matters covered by the requested report is substantial. The proposal seeks a report detailing any known and potential risks, as well as anystrategies beyond legal compliance for mitigating these risks, related to fulfilling information requests related to the enforcement of state laws criminalizing abortion access. Developing such a report
would involve a substantial level of effort involving issues related to privacy, protection of customer information, and compliance with applicable laws. The scope of the research, costly legal analysis, and management time and resources that such an undertaking would consume would be burdensome to Labcorp.
Producing the requested report would likely require the development and implementation of new processes and policies. For example, to prepare the report the Company would need a way to determine whether a duly authorized law enforcement request relates to enforcement of state laws criminalizing abortion access. Although processes are in place to help ensure that law enforcement requests are valid and duly authorized, in many cases it would be difficult to determine why information is being sought by law enforcement at the level that would be required to prepare the report. It would be necessary for the Company to implement substantial new processes to research and identify – when it is even possible – whether a duly authorized law enforcement request relates to the enforcement of state laws criminalizing access to abortion. These efforts could result in substantial additional time, expense and use of Company resources.
Production of the report would add to the significant costs the Company already incurs to comply with applicable privacy laws and regulations and to protect the privacy of its stakeholders, including but not limited to its customers, study participants, employees, and providers. And, it would do so without enhancing the Company’s compliance with applicable laws and regulations, reducing the risks the Company faces, or enhancing the privacy rights of its stakeholders. Accordingly, the Board does not believe the proposal is in the best interests of the Company or its shareholders.
After careful consideration, the Board recommends a vote “AGAINST” this proposal.