A client alert from Womble Bond Dickinson (US) discusses what it describes as a first-of-its-kind ruling: a California court did not dismiss claims against Bain Capital over the PowerSchool data breach, even though many of the claims occurred before Bain’s acquisition of PowerSchool was completed.
On March 18, 2026, the court granted in part and denied in part Bain’s Motion to Dismiss, and allowed plaintiffs’ claims for aiding and abetting, negligence, negligence per se, unjust enrichment, violations of the California unfair competition to proceed.
The following are some of the factors the court considered in not dismissing all claims:
The court relied on the following allegations against Bain to find that the claims could proceed:
- Bain “ratified and conditioned its offer on cost reduction measures,” which included laying off domestic cybersecurity staff.
- Pre-closing, Bain held contractual veto rights over capital expenditures exceeding $5 million, material vendor contracts, and major workforce changes
- The acquisition agreement “recognized data security as a material aspect of PowerSchool’s business [and] included data-protection obligations. . . .”
- Post-closing, Bain immediately replaced PowerSchool’s entire board.
- Post-closing, Bain directed PowerSchool to offshore cybersecurity, engineering, and IT functions to contractors, including offshoring required data-management tools that enabled vendors to bypass consent protocols and access protected school district computers directly.
- Bain failed to assess data-breach risks from the offshoring it directed.
- Post-closing, Bain directed layoffs of at least 5% of PowerSchool’s workforce, including critical domestic IT staff.
Read more at The National Law Review. The attorneys note that this was just at the pleading stage, but even so, this was certainly a noteworthy opinion.
