Unprecedented: Private Equity Firm Potentially on Hook for Portfolio Company’s Data Breach

In a first of its kind, a California federal judge allowed claims against Bain Capital to proceed based on a data breach at its subsidiary, PowerSchool. Notably, many of the claims are based on conduct that occurred before Bain’s acquisition of PowerSchool. Although the case will continue to play out, it is a cautionary tale for private equity firms even at this early stage.

The Bottom Line: Courts may hold PE firms liable for cybersecurity failures at portfolio companies—even for breaches rooted in pre-closing conduct. Here’s what happened and what you can do about it.

The Acquisition

Bain Capital acquired PowerSchool, a K-12 education software provider, in a $5.6 billion transaction that closed on October 1, 2024. Acquisition discussions began in August 2022 and accelerated in 2024, eventually closing on October 1, 2024.

The Breach

In August 2024—before Bain’s acquisition closed—a threat actor gained unauthorized access to PowerSchool’s systems using stolen vendor credentials. Initial data exfiltration of the data of a single school district occurred in September 2024. 

Following the acquisition, Bain directed PowerSchool to offshore cybersecurity, engineering, and IT functions to contractors. This offshoring required data-management tools that enabled vendors to bypass consent protocols and access protected school district computers directly.

Over the next several months, the threat actor, a 19-year-old college student from Massachusetts, was able to use the stolen credentials to access and exfiltrate data from thousands of school districts throughout North America. This exfiltration was not discovered until December 28, 2024—after Bain’s acquisition closed—when the cybercriminal group, ShinyHackers, made a ransom payment demand to PowerSchool.

PowerSchool publicly disclosed the data breach on January 7, 2025. The threat actor reportedly transferred the exfiltrated data to a cloud provider in Ukraine, which included the personal data of 60 million students and 10 million teachers, and included data elements such as social security numbers, medical information, financial information, addresses, disability records, and custody information.

The Lawsuit

Several class actions related to PowerSchool’s data breach were subsequently filed and eventually consolidated in the Southern District of California, naming both PowerSchool and its parent company Bain as defendants. On March 18, 2026, the court granted in part and denied in part Bain’s Motion to Dismiss, and allowed plaintiffs’ claims for aiding and abetting, negligence, negligence per se, unjust enrichment, violations of the California unfair competition to proceed. 

The court relied on the following allegations against Bain to find that the claims could proceed:

• Bain “ratified and conditioned its offer on cost reduction measures,” which included laying off domestic cybersecurity staff. 
• Pre-closing, Bain held contractual veto rights over capital expenditures exceeding $5 million, material vendor contracts, and major workforce changes
• The acquisition agreement “recognized data security as a material aspect of PowerSchool’s business [and] included data-protection obligations. . . .”
• Post-closing, Bain immediately replaced PowerSchool’s entire board.
• Post-closing, Bain directed PowerSchool to offshore cybersecurity, engineering, and IT functions to contractors, including offshoring required data-management tools that enabled vendors to bypass consent protocols and access protected school district computers directly.
• Bain failed to assess data-breach risks from the offshoring it directed.
• Post-closing, Bain directed layoffs of at least 5% of PowerSchool’s workforce, including critical domestic IT staff.

Lastly, the acquisition agreement contained a “disclaimer of control” provision, stating that neither Bain nor PowerSchool controlled the operations of the other. The court, however, found that given the other factual allegations, the provision did “not compel a different result at this state [of the litigation].”

Implications for Acquisitions

A target’s cybersecurity practices, and understanding associated liabilities, are increasingly material to acquisitions. Private equity firms need to strategically approach both pre- and post-acquisition activities to avoid cybersecurity risks.

It is important to note that the District Court was deciding the issue at the pleadings stage, and the complaint’s allegations must be taken as true during this stage. These allegations, according to the District Court, adequately pleaded a common law agency theory that survived the typical liability barriers that exist between parent companies and their subsidiaries. In finding jurisdiction over Bain due to this agency theory, the District Court explained that the complaint sufficiently alleged that “Bain exercised control over PowerSchool’s key strategic decisions—including cybersecurity operations, workforce decisions, and capital expenditures—both before and after the merger closed.”

How to Protect Yourself: Practical Steps

1. Understand That Disclaimers Are Not Enough: The court rejected the argument that contractual disclaimers of control are dispositive. If you exercise actual control over a portfolio company’s operations—especially cybersecurity—you may face liability regardless of what your agreements say.
2. Treat Cybersecurity as a Material M&A Issue: Data protection is no longer just an IT concern—it is a material acquisition risk. Courts and regulators are increasingly willing to hold investors accountable for the cybersecurity practices of companies they control.
3. Go Beyond Reps and Warranties: Review and assess the legal and regulatory implications of data protection laws and standards. Do not rely solely on standard contractual protections. Conduct substantive due diligence to verify the target’s compliance with cybersecurity standards—before you close.
4. Avoid Exercising Control: Avoid taking control or directing operations of the target before an acquisition closes and carefully consider the implications of doing so after an acquisition closes, with full awareness of material risks.
5. Strategically Assess Operations Post-Closing:  
   1. Align acquisition companies’ cybersecurity and data protection with the private equity firm’s own commitment to ethical business practices and responsible corporate governance.
   2. Ensure that the private equity firm’s investment strategy and operations do not contribute to the risks associated with third-party cybersecurity and data breaches or to the privacy rights of data subjects.  Short-term gains from consolidating operations may be wiped out by significant liabilities if a data breach occurs. 
   3. Share best practices and knowledge with portfolio companies to provide as much protection as possible
   4. Document any shared services arrangements with an intercompany services agreement with clear delineation of resources and separation of the legal entity structure to preserve the corporate veil.

If you would like additional information or assistance with cybersecurity and data breach risk assessments or M&A due diligence and acquisitions, please contact your Womble attorney or any of the authors of this alert.