United States Securities and Exchange Commission
Washington, D.C. 20549
NOTICE OF EXEMPT SOLICITATION
Pursuant to Rule 14a-103
Name of the Registrant: Laboratory Corporation Holdings of America
Name of persons relying on exemption: Tara Health Foundation
Address of persons relying on exemption: 47 Kearny Street, San Francisco, CA 94108
Written materials are submitted pursuant to Rule 14a-6(g) (1) promulgated under the Securities Exchange Act of 1934. Submission is not required of this filer under the terms of the Rule, but is made voluntarily in the interest of public disclosure and consideration of these important issues.
PROXY MEMORANDUM
TO: | Shareholders of Laboratory Corporation Holdings of America |
RE: | Proposal No. 6 (“Reproductive Healthcare and Data Privacy”) |
DATE: | May 6, 2024 |
CONTACT: | Corporate.Engagement<at>rhiaventures.org |
This is not a solicitation of authority to vote your proxy. Please DO NOT send us your proxy card; Tara Health Foundation is not able to vote your proxies, nor does this communication contemplate such an event. Tara Health Foundation urges shareholders to vote for Proposal
No. 6 following the instructions provided on management's proxy mailing.
Tara Health Foundation urges shareholders to vote YES on Proposal No. 6 on the 2024 proxy ballot of Laboratory Corporation Holdings of America (“Labcorp” or the “Company”). The Resolved clause states:
Shareholders request the Board issue a public report detailing known and potential risks and costs to the Company of fulfilling information requests relating to Labcorp customers for the enforcement of state laws criminalizing abortion access, and setting forth any strategies beyond legal compliance that the Company may deploy to minimize or mitigate these risks. The report should be produced at reasonable expense, exclude proprietary or legally privileged information, and be published within one year of the annual meeting.
The full text of the proposal is appended below.
About Tara Health Foundation
Tara Health Foundation aims to improve the health and well-being of women and girls through the creative use of philanthropic capital. Our main areas of focus are reproductive and maternal health in the United States, equitable workplaces, and gender lens impact investing.
Tara Health Foundation is a long-term shareholder in Labcorp. We support this proposal because Labcorp collects massive amounts of women’s personal health data but lacks transparency as to how such data is or may imperil access to reproductive healthcare. In a time when abortion access is criminalized or severely restricted by half of the states, greater understanding about the Company’s data handling practices is warranted.
Background on the Proposal
Following the unprecedented revocation of the constitutional right to abortion in June 2022, about one half of the states have banned or severely restricted abortion care. Law enforcement in these abortion-restrictive states often rely on consumer digital data to investigate and prosecute individuals who provide, aid, or receive the procedure, even if conducted in states where abortion remains legal.
A digital reproductive health footprint could be easily accessed by law enforcement and lead to criminal charges. In one example from 2022, Meta received significant negative press after complying with a data request from a Nebraska police department for private Facebook messages between a mother and daughter, who were both subsequently convicted for felony crimes related to the alleged illegal termination of the daughter’s pregnancy.1 Police in Mississippi and Indiana have similarly used text messages, as well as web searches about abortion and online abortion medication order details as digital evidence against women facing criminal charges related to the end of their pregnancies.2
_____________________________
1 https://tinyurl.com/5dzny56t
2 https://wapo.st/44aVYug
Labcorp has been largely silent on the issue, even though it is a nationwide provider of reproductive healthcare services and is heavily investing in women’s healthcare.3 Indeed, the Company asserts that it has “decades of commitment to women’s health and reproductive genetics” having performed “over 250 million women’s health tests each year,” ranging from infertility to pregnancy and general women’s health.4 In addition, the Company in 2021 acquired Ovia Health, a digital health app used by over 15 million women seeking information and support with family planning, pregnancy, and parenting.5
Given the nature of the Company’s sensitive data, Labcorp is especially vulnerable to law enforcement data requests related to abortion and reproductive healthcare, particularly with respect to interstate conflicts regarding exercise of reproductive rights in states where abortion remains legal. Shareholders have reason to be concerned about whether the enforcement of criminal abortion laws will impact the reputation and financial wellbeing of the Company. The proposal therefore calls upon management to examine the risks associated with the Company’s current data handling practices, including its response to government information requests, in the face of new restrictive abortion laws.
Rationale in Support of the Proposal
1. | Labcorp’s data handling policies may expose individuals to serious risks. |
2. | The Company does not offer transparency reporting regarding data privacy. |
3. | Regulatory and legal compliance is insufficient to minimize privacy risks related to reproductive healthcare. |
4. | Production of the requested report would be feasible and cost-effective. |
Labcorp’s data handling policies may expose individuals to serious risks.
Users interact with Labcorp in a number of ways governed by different Labcorp privacy policies that are unclear, incomplete, and at times do not reflect industry best practices.
Consumers may access the Labcorp website to research information, make inquiries, or pay for Company products and services related to reproductive healthcare. They may also provide the Company with personal health information (“PHI”) when using Labcorp’s health products and services. Furthermore, users may interact with the Ovia Health app, which collects personal sensitive information that may also be relevant to abortion-related criminal investigations, including “date of last period, due date, and other fertility, pregnancy, health, sex life and life” information, in addition to data about the user’s habits, purchases, geolocation, and “photos or videos” uploaded to the app.6
_____________________________
3 https://ir.labcorp.com/static-files/22c019b9-6961-43d3-80ad-0f3edc11ca8d
4 https://womenshealth.labcorp.com/about
5 https://www.labcorp.com/newsroom/labcorp-extends-leadership-womens-health-acquisition-ovia-health
6 https://www.oviahealth.com/privacy-policy/
Despite the sensitive nature of these data, Labcorp’s privacy policies in some instances do not provide strong privacy safeguards that have been recognized as best practices by many industries and privacy leaders. For example, the Company’s Website Privacy Policy7 does not affirm a prohibition against selling or licensing consumer data to third parties like advertisers, nor does it disclose what privacy guidelines, if any, third parties who have access to such data for business purposes must follow in order to minimize their vulnerability to leaks or law enforcement data requests. The policy also does not provide that in response to law enforcement data requests, the Company, where permissible, will notify the affected individual.
The requested report would serve as a mechanism to systematically analyze Labcorp’s multiple privacy policies to identify vulnerabilities and areas where the Company could adopt stronger privacy safeguards that would minimize individual users’ exposure to law enforcement data requests for abortion-related prosecutorial purposes.
Labcorp does not offer transparency reporting regarding data privacy, exposing the Company to financial and reputational risks.
A recent empirical study in the Journal of Marketing showed that vulnerabilities concerning the misuse of commercial data can generate negative outcomes for businesses, including negative abnormal stock returns and damaging customer behaviors such as negative word of mouth and switching to a close business rival.8 These findings could apply to data vulnerabilities from actual and potential disclosures of abortion-related data to law enforcement, thereby amplifying consumer worries about data misuse. Consequently, corporations collecting large troves of consumer data, such as Labcorp, are likely exposing themselves to higher financial and reputational risks. Apropos to the current Proposal, the study found that data transparency, among other things, can alleviate these detrimental effects.
_____________________________
7 https://www.labcorp.com/about/web-privacy-policy
8 https://doi.org/10.1509/jm.15.0497
Labcorp does not publish transparency reporting regarding data privacy. Conversely, many publicly traded companies offer transparency reporting specifically on the issue of government data requests.9 Meta, Amazon, Google and many other companies across different industries offer such periodic reporting, which includes details on the types of requests, compliance rates, jurisdictional information and case studies. In response to a similar shareholder proposal from the 2023 proxy season, CVS bolstered customer privacy protections, including publishing semiannual transparency reports on the number of legal information requests.10 CVS’s inaugural transparency report was released this year,11 to positive media attention. This information would be extremely helpful for investors to make determinations about the Company’s risk exposure as well as serve as an accountability tool. In turn, consumers would gain more assurances that Labcorp respects the privacy of their data.
Why a YES Vote is Warranted: A Response to Labcorp’s Opposition Statement
In opposing the Proposal, the Company states it has systems and processes that are designed to comply with applicable privacy laws and regulations. The Company further provides that preparation and publication of the requested report would “create an undue burden and incur an unnecessary cost to the Company and the shareholders.” However, existing privacy regulations may not be sufficient to minimize the privacy risks contemplated by the proposal, and the requested report could be prepared at minimal cost.
Regulatory and legal compliance is insufficient to minimize privacy risks related to reproductive health care
Data privacy laws in the United States are considered by many experts to be lacking in scope and woefully outdated. In fact, there is no single, comprehensive federal law regulating how companies collect, store, or share customer data.
As the New York Times reports, “[t]he data collected by the vast majority of products people use every day isn’t regulated.”12 In most states, companies can use, share, or sell most data they collect about consumers without notifying them that the company is doing so. There is no federal law standardizing when (or if) a company must notify consumers if their data is breached or exposed to unauthorized parties. If a company shares consumer data – including sensitive information such as an individual’s health or location – with third parties (e.g., data brokers), those third parties can often sell the data or share it without notifying the affected consumers. HIPAA – one of the few federal privacy laws but which only protects PHI – has loopholes that could allow Labcorp to disclose information to law enforcement seeking to prosecute abortion-related crimes.
_____________________________
9 https://bit.ly/3y8J6ZU
10 https://tinyurl.com/yf497dsp
11 https://www.cvshealth.com/impact/esg-reports/resource-library/legal-record-requests.html
12 https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/
As a result of this lax regulatory environment, many businesses have implemented firmer privacy practices that more fully protect consumers from nefarious data uses and increase brand trust. One such practice is abiding by the principle of “data minimization,” in which companies only collect personal data that is strictly necessary for delivering the service a user is expecting to receive, and use it for only that purpose.13 Data minimization is already a legal requirement for certain companies doing business in the European Union.14 As a result of data minimization, companies amass less information that may be subject to law enforcement information requests or shared with third parties seeking to participate in the enforcement of abortion-restrictive laws. Notably, data minimization would also reduce the Company’s liability, reputational risk exposure, and storage costs.15 Labcorp has nonetheless failed to disclose in its various privacy policies whether it abides by this or other widely recognized data privacy principles.
Yet, sharing consumer data without proper security measures could expose the Company to significant risks, including the threat of burdensome litigation. In 2021, for example, the most popular fertility and period tracking app developer, Flo Health, faced legal action upon claims that the platform shared sensitive health information with third parties, including Google and Facebook (which could in turn share the data with law enforcement), without the users’ consent.16
Finally, most companies doing business in California, Virginia and the European Union are also required to provide consumers with “deletion rights,” as contemplated by the Proposal.17 Deletion rights generally grant consumers the ability to have personal information erased in instances where the business is not required to maintain the data. Implementing a sustainable data deletion program can help Labcorp reinforce its standards and governance for data deletion, meet regulatory requirements, reduce the risk of data breaches, and improve data hygiene overall.18
Since Labcorp already complies with data deletion requirements under California and Virginia law, applying deletion rights or other related data deletion mechanisms nationwide could be a feasible and cost-effective mitigation measure to the problems raised identified in the proposal. Synalab Group, one of Labcorp’s international competitors, automatically deletes or anonymizes a website visitor’s IP address from the company data logs, while other remaining website-visitor data “is stored for a limited period of time” with the explicit purpose of improving the “operation of [Synalab’s] website.”19 DaVita, a leading healthcare provider, gives consumers the opportunity to “amend or delete” information collected from them through the company’s online platforms.20 The requested report would advise investors whether such measures indeed provide such benefits to the Company.
_____________________________
13 https://pirg.org/articles/do-you-know-where-your-data-is-because-facebook-doesnt/
14 https://www.business.com/articles/how-to-apply-data-minimization/
15 https://tinyurl.com/2p92fr8t
16 https://tinyurl.com/2sduk56f
17 https://oag.ca.gov/privacy/ccpa (California); https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/ (Virginia); https://gdpr-info.eu/art-17-gdpr/ (European Union)
18 https://www.grantthornton.com/insights/articles/advisory/2020/how-data-deletion-empowers-data-protection
19 https://www.synlab.com/privacy-policy
20 https://www.davita.com/privacy-policy
Production of the report would be feasible and cost-effective
While ignoring the substance of the Proposal, Labcorp focuses its opposition statement on the supposed undue burden and unnecessary costs associated with the preparation of the requested report.
However, the scope of research involved in the production of the requested report is narrow and limited to the risks associated with the Company’s fulfillment of information requests relating to Labcorp customers for the enforcement of state laws criminalizing abortion access. The proposal and a number of reports and studies have already identified many of the potential risks, thereby providing useful guidance that the Company may follow in preparing the requested report. Notably, the proposal suggests that the Company consult with reproductive rights and civil liberties organizations in preparing the report, which could reduce the burden of identifying relevant data privacy risks associated with criminal abortion laws.
Production of the requested report would be cost-effective and feasible. A similar shareholder proposal submitted to Interpublic Group Companies for the 2023 proxy season was withdrawn after that company conducted an assessment of their policies and practices regarding reproductive health data, ultimately finding there was no significant risk to customers in the face of newly-enacted state laws criminalizing abortion.21
Labcorp’s claim that “[d]eveloping such a report and conducting the related assessment set forth in the proposal would involve a substantial level of effort involving issues related to privacy, protection of customer information, and compliance with applicable laws” raises concerns. Yet the Board has a responsibility to oversee the “Company’s cybersecurity and other information technology risks, controls and procedures, including . . . the potential impact of such risks on the Company’s business, financial results, operations and reputation.”22 Thus, the requested report would entail the kind of analysis that falls within the purview of the Board's oversight duties.
Indeed, Labcorp should be periodically conducting the assessments contemplated in the proposal. We believe existing Labcorp counsel and technical experts, in consultation with outside experts and groups, could satisfy the request report analyzing, among other things, such mitigation measures without incurring substantial cost.
_____________________________
21 https://tinyurl.com/mvrmfj2x
22 https://ir.labcorp.com/static-files/5ffbe8bd-0695-4ac6-947e-1e877e1a33ec
In sum, we believe that implementing the requested report will help ensure that Labcorp does more to monitor its data handling practices so that they do not expose consumers to serious risks stemming from abortion-related criminal prosecutions, thereby eroding shareholder value by diminishing the Company’s reputation, consumer loyalty, brand, and values.
Vote “Yes” on Shareholder Proposal No. 6.
For questions, please contact Corporate.Engagement<at>rhiaventures.org.
THE FOREGOING INFORMATION MAY BE DISSEMINATED TO SHAREHOLDERS VIA TELEPHONE, U.S. MAIL, E-MAIL, CERTAIN WEBSITES AND CERTAIN SOCIAL MEDIA VENUES, AND SHOULD NOT BE CONSTRUED AS INVESTMENT ADVICE OR AS A SOLICITATION OF AUTHORITY TO VOTE YOUR PROXY. PROXY CARDS WILL NOT BE ACCEPTED. PLEASE DO NOT SEND YOUR PROXY TO TARA HEALTH FOUNDATION. TO VOTE YOUR PROXY, PLEASE FOLLOW THE INSTRUCTIONS ON YOUR PROXY CARD.
Item No. 6 – “Shareholder proposal regarding a Board report on risks of fulfilling information requests”
Reproductive Healthcare and Data Privacy
WHEREAS: Following the revocation of the constitutional right to an abortion in June 2022, policymakers are concerned about the use of personal digital data to enforce state laws that ban or limit abortion access. Law enforcement may demand data held by Labcorp, seeking evidence of consumer acts that were legal in the state where they occurred, but illegal in the consumer’s state of residence, such as laboratory testing related to reproductive healthcare.
Law enforcement’s reliance on digital consumer data has become increasingly common. While Labcorp does not publicly report figures on compliance with law enforcement requests, Alphabet and Meta alone collectively received around 119,000 requests in the second half of 2022, and each complied with about 84% of those requests.[1] In one example from 2022, Meta satisfied, to significant negative press, a data request from Nebraska police for private Facebook messages between a mother and teenage daughter regarding plans to end the daughter’s pregnancy. Based on those messages, both were convicted for felony crimes and will serve prison time.[2]
Labcorp collects sensitive information from consumers about their personal health, location, and Internet and commercial activity. Labcorp also owns Ovia Health, a digital app used by over 15 million women for reproductive healthcare purposes, which collects detailed personal health data from users including information about their cycles, fertility and pregnancy.[3]
Shareholders are concerned that such data will be accessed without consumer consent by states that criminalize abortion. Labcorp’s privacy policies allow disclosure of certain personal consumer information “in response to duly authorized information requests of any law enforcement agency,”[4] which may include instances where compliance with the request is voluntarily sought.
Labcorp is not immune to abortion-related law enforcement requests that may create significant reputational, financial, and legal risks. There is a strong brand benefit to upholding and increasing longstanding consumer privacy expectations.
This is the second year that this proposal has been tiled. Labcorp has declined multiple invitations from the proponents to discuss the matters raised herein.
RESOLVED: Shareholders request the Board issue a public report detailing known and potential risks and costs to the Company of fulfilling information requests relating to Labcorp customers for the enforcement of state laws criminalizing abortion access, and setting forth any strategies beyond legal compliance that the Company may deploy to minimize or mitigate these risks. The report should be produced at reasonable expense, exclude proprietary or legally privileged information, and be published within one year of the annual meeting.
SUPPORTING STATEMENT: Shareholders recommend, at management discretion, input from reproductive rights and civil liberties organizations be solicited and reflected in the report, and that the report contain an assessment of the benefits and feasibility of:
● | implementing a nationwide data privacy policy wherein consumers may request that Labcorp delete personal data that it is not legally required to retain; |
● | notifying consumers about law enforcement information requests regarding their data prior to, and with sufficient time for consumer response, complying with any such request. |
[1] https://transparencyreport.google.com/user-data/overview?hl=en; https://transparency.fb.com/data/government-data-requests/country/us/
[2] https://www.nytimes.com/2023/09/22/us/jessica-burgess-abortion-pill-nebraska.html
[3] https://www.oviahealth.com/privacy-policy
[4] https://www.labcorp.com/hipaa-privacy