Improving portfolio company profitability to enhance value at exit is a fundamental element of many private equity strategies. Typical strategies to improve profitability include cost reduction, management restructuring, operational overhauls, and sales/revenue enhancement. But what happens when a third party alleges that such strategies at the portfolio company (port co) caused harm — can the private equity (PE) firm be liable? Or just the port co?
Plaintiff lawyers seeking to hold PE firms liable for alleged port co wrongs on theories of alter ego liability, aiding and abetting, conspiracy, and more are nothing new. What is new is that courts are growing hesitant to eliminate such claims at the motion to dismiss stage, which allows plaintiffs to try to pierce the corporate veil. This shift presents a mounting and vexing problem for PE sponsors. A recent decision from a California federal court involving port co cyber breach litigation underscores and offers a new twist on this trend.
A portfolio company data breach with potential fund implications
A class-action lawsuit moving through federal court in California (In re PowerSchool Holdings, Inc.) followed a significant data breach. Plaintiffs sued both the port co that provided cloud-based data management services to school districts, as well as the PE firm that owns a controlling stake in the company.
Plaintiffs accuse the PE firm of directing the port co to cut costs, including offshoring its cybersecurity and information technology functions. Shortly afterward, hackers gained access to the company’s network systems through the compromised credentials of an offshore contractor. From there, hackers stole the Social Security numbers, medical records, financial information, and other records for some 50 million people.
The crux of the plaintiffs’ claims is that it is unlikely the data breach would have occurred had the port co not offshored and undermined its cybersecurity operations, something it allegedly did at the urging of the PE firm.
In March, a judge denied the PE firm’s motion to dismiss all claims. While the judge agreed to dismiss some of the plaintiffs’ claims, certain negligence and direct liability claims remain pending against the PE firm. The decision on a motion to dismiss occurs very early in a case, with the plaintiffs’ allegations presumed true, and is certainly not a finding of liability or even a likelihood thereof.
However, it is meaningful because it means that discovery will proceed and the PE firm will be forced to incur significant legal costs to participate in document production, depositions, and a potential motion for summary judgment or trial.
Who bears these costs? Insurance, the portfolio company, and/or the PE firms.
Why private equity should rethink risk and coverage
While the data breach case is somewhat unusual due to its cybersecurity element, plaintiffs have previously pursued claims against PE firms when portfolio companies faced other operational events, like environmental, personal injury, and product liability claims.
Historically, plaintiffs have not been particularly successful in these types of claims against private equity. Judges frequently treated PE firms and port cos as separate legal entities (and the PE firm as a passive investor), which tended to insulate PE firms from liability for their port cos’ actions.
Despite those setbacks, however, plaintiffs haven’t given up in their pursuit of private equity’s deep pockets. With judges increasingly receptive to plaintiffs’ legal theories against private equity, executives should consider the risks that these cases and their own actions could pose.
Litigation, particularly once it advances beyond a motion to dismiss, allows plaintiffs to request and scrutinize the PE firm’s records through discovery, which is often an uncomfortable, expensive, and time-consuming experience. Attorneys will closely examine records, such as emails, texts, and instant messages, to shed light on discussions and decision-making among PE partners and their port cos. Communications that could be interpreted as the PE firm pushing certain decisions or disregarding risks can bolster a plaintiff’s case or their leverage in settlement talks.
Moreover, private equity firms should give renewed consideration to their own insurance structures and those of their portfolio companies.
The insurance coverages that may be implicated in the data breach case described above are not publicly known. But using this case as an example illustrates the types of questions a private equity firm should contemplate:
How is the cyber liability policy at the port co structured? Is the PE firm included as an additional insured or as a co-defendant? If so, the PE firm would likely have coverage under the port co’s cyber policy.
If the PE firm is not insured under the port co cyber policy, does the port co have an excess layer on its cyber policy or umbrella policy that could cover any liability beyond the primary policy?
Does the PE firm purchase any shared excess cyber liability insurance on behalf of its entire portfolio of companies that may apply?
Are there any indemnification agreements between the port cos and the PE firm to address who bears the legal costs if the private equity owners are pulled into a lawsuit?
If no excess layer or umbrella policy applies at the portfolio company level, would a PE firm’s general partnership liability — a form of insurance that protects private equity, venture capital, and other investment fund managers from claims of mismanagement — be implicated? Does that policy have an exclusion or limitation for claims arising from cyber breaches outside the PE firm?
Does the PE firm’s directors and officers (D&O) liability policy contain any cyber or data breach-related exclusions that could limit or preclude coverage in a scenario like this? In particular, how broad is the exclusionary language (e.g., full, entity, or specified carve-back), and does the lead-in wording potentially sweep in claims that are ancillary to, but arise out of, a cyber incident?
These questions are merely the beginning of the complex process that PE firms should undertake to coordinate insurance programs and address liability stemming from their port cos.
Given this evolving liability landscape, it’s important that PE firms refocus on their insurance programs both at the firm level and for their port cos, and critically, on how coverage between the two would interact if litigation arises.
In light of incidents like the data breach, an experienced broker can help PE firms revisit and review their policies and coverages at both the fund and portfolio levels.
For deeper insight into how Lockton supports private equity firms with complex litigation, cyber, and executive liability risks, visit our Professional & Executive Risk page (opens a new window) or contact your Lockton risk specialist to start the conversation.
