Executive Summary: A recent federal district court order serves as a reminder to private equity firms to exercise caution in establishing operational direction and day-to-day involvement with a portfolio company after the court largely denied dismissal of plaintiffs’ lawsuit, which asserted a direct liability theory and an aiding-and-abetting claim following a data breach affecting the portfolio company.
The Southern District of California largely denied an investment firm’s motion to dismiss in a multidistrict litigation arising from allegations that it implemented data-management changes at its portfolio company, which compromised the software company’s cybersecurity protections and led to a data breach. In re PowerSchool Holdings, Inc., No. 25-md-03149, 2026 U.S. Dist. LEXIS 57050 (S.D. Cal. Mar. 18, 2026). The district court directed most of its analysis to the three theories of liability plaintiffs asserted against the investment firm and denied dismissal as to plaintiffs’: (i) agency theory concluding that plaintiffs plausibly alleged an agency relationship; (ii) direct liability theory concluding that the allegations, if proven, would establish that the investment firm’s day-to-day involvement, operational direction, and cost-cutting activities were “inconsistent” with mere investor status; and (iii) aiding-and-abetting claim, concluding that the complaint plausibly alleged that the investment firm knew the software company would be breaching an alleged duty and that the firm’s conduct constituted “substantial assistance.”
Background and Procedural History
In 2022 the investment firm began merger and acquisition discussions with the software company that would go on to become its portfolio company. In early 2024, under the investment firm’s direction, the software company expanded its cybersecurity operations to India. On June 6, 2024, the investment firm agreed to acquire majority ownership of the software company. Under the parties’ agreement, the investment firm was granted contractual consent rights over capital expenditures exceeding $5 million, material vendor contracts, and major workforce changes, and recognized data security as a material aspect of the software company’s business. The transaction closed on October 1, 2024 and the investment firm replaced the software company’s board and assumed operational control of it. After the acquisition, the investment firm directed the software company to offshore cybersecurity, engineering, and IT functions. On December 20, 2024, the software company suffered a data breach, which compromised approximately 50 million individuals’ sensitive personally identifiable information (PII). Subsequently, plaintiffs sued the investment firm alleging a host of statutory and common law claims. The investment firm sought dismissal of plaintiffs’ lawsuit on various grounds, including failure to state a claim under Federal Rule of Civil Procedure 12(b)(6).
Agency Relationship
The court explained that an actual agency relationship requires: “(1) a manifestation by the principal that the agent shall act for him; (2) that the agent has accepted the undertaking; and (3) that there is an understanding between the parties that the principal is to be in control of the undertaking.” Plaintiffs alleged that the investment firm “ratified and conditioned its offer on cost reduction measures” and the company software assented by agreeing to these measures. The court further noted that the investment firm obtained “strategic control over [the company’s] key decisions” through the merger agreement. Plaintiffs alleged that these decisions—mass IT layoffs and offshoring—led to the breach. The court concluded that “[t]aken together, these allegations satisfy the agency framework: [the investment firm] manifested that [the software company] should act on its behalf by conditioning the merger on cost-reduction measures; [the software company] accepted the undertaking by implementing those measures; and the [parties’] Agreement reflects an understanding that [the investment firm] would control the undertaking.” The court noted that the agreement’s disclaimer of control did not compel a different result at this stage and that it was subject to “all other terms” that allegedly allowed the investment firm to control key operations.
Direct Liability
Stating that a shareholder “may be liable on the ground that such shareholder’s activity resulted in the liability” the court framed the issue as whether the investment firm’s conduct went beyond what an ordinary investor would do. The court determined that plaintiffs’ allegations, if proven, would establish that the investment firm’s day-to-day involvement, operational direction, and cost-cutting activities were inconsistent with mere “investor status.” In particular, the court noted that before the transaction, the investment firm exercised control through contractual veto rights and workforce directives and after that the merger, it assumed formal control and replaced the board. The court noted that through this control, the investment firm allegedly dictated the software company’s daily operations, including the cost-cutting measures–such as layoffs of at least 5% of the software company’s workforce that included critical domestic IT staff replacing them with overseas contractors–that dismantled the software company’s cybersecurity infrastructure and led to the data breach.
Aiding-and-Abetting Liability
Under California common law liability may be imposed on one who aids and abets the commission of an intentional tort if he: “(a) knows the other’s conduct constitutes a breach of duty and gives substantial assistance or encouragement to the other to so act or (b) gives substantial assistance to the other in accomplishing a tortious result and the person’s own conduct, separately considered, constitutes a breach of duty to the third person.” The court concluded that the allegations plausibly alleged both knowledge (
i.e., the investment firm knew the software company would be breaching an alleged duty) and that the investment firm’s conduct constituted “substantial assistance.” In support, the court noted that plaintiffs alleged that the investment firm “studied and became involved with” the software company for two years before the transaction, during which time it gained familiarity with its data-security practices and obligations. Plaintiffs further alleged that, having taken control of the software company, the investment firm knew of its misrepresentations and omissions regarding weakened cybersecurity and the duty to protect plaintiffs’ PII. The court pointed out that plaintiffs also alleged that the investment firm directed the software company to eliminate critical U.S.-based workforce and to outsource these responsibilities to offshore contractors for its own financial gain and concluded that this conduct constituted “substantial assistance” under the aiding-and-abetting framework.