Background
Hattons of London Limited is a niche specialist dealer in heritage and modern gold coins whose business model depends almost entirely on a detailed customer database maintained through the Zoho CRM platform. The database records customer contact details, purchase history, credit scores, call logs and personal interests gathered to build rapport with collectors. The company employed a team of Account Managers who were each assigned specific customers and were paid by commission; their on-target earnings ranged from approximately £78,000 to £280,000 in the twelve months before the events in question. Every Account Manager signed both an employment contract containing perpetual fidelity and confidentiality clauses and a separate Non-Disclosure Agreement prohibiting use of company information for any purpose other than employment, with those obligations expressed to continue indefinitely.
Between February and May 2025, the six Account Manager defendants (2nd–7th defendants) each commenced extended periods of sick leave and none returned to work before resigning in June–July 2025. From May 2025 onwards, Hattons began receiving reports from customers that a new company — The Knightsbridge Collection Limited (the 1st defendant, incorporated in October 2024 by the 8th defendant, a former director of Hattons) — was telephoning them and demonstrating knowledge of their purchase history. Private investigators placed at the 1st defendant’s Stoke-on-Trent premises in June 2025 observed several of the defendant Account Managers attending while they were still nominally on sick leave from Hattons. Forensic analysis of the Zoho platform revealed that the 1st defendant’s credentials had been used from the home IP addresses of multiple defendants on scores of occasions, and that at least one defendant had downloaded a modified export of the customer database that included email addresses.
Hattons obtained an emergency injunction on 20 August 2025 (the “Glasson KC Order”) restraining all defendants from using, copying, disclosing or deleting its confidential information and requiring delivery up of all relevant documents and sworn affidavits of compliance. The 1st defendant entered creditors’ voluntary liquidation on 11 August 2025. The 5th defendant settled before trial. A speedy trial limited to liability and equitable relief — before Bruce Carr KC sitting as a Deputy High Court Judge — was heard in February 2026. The remaining individual defendants appeared in person; the 6th and 8th defendants did not attend. The court rejected a late application to adjourn pending parallel Employment Tribunal proceedings on the grounds that the application was premature, the costs burden on the claimant was significant, and any risk of inconsistent findings cut both ways.
The Court’s Holding
The court found the defendants liable for misuse of the claimant’s confidential information in breach of their contractual and equitable duties. It rejected the central defence — that all database access had been motivated by a need to gather evidence for a collective workplace grievance alleging bullying and nepotism — as implausible on the evidence. The 3rd defendant’s login credentials were used on at least 87 separate occasions from the 2nd defendant’s home IP address during March 2025, including on days when the 3rd defendant was still at work, demonstrating that credentials had been deliberately shared. The same credentials were used on 28 further occasions from the 5th defendant’s home address, and on one day from three distinct IP addresses simultaneously. The court held that access on such a scale and from such locations could not be explained by a legitimate desire to identify whether client accounts had been reallocated within Hattons, since the reports accessed did not in any event display that information.
The court also rejected the alternative explanations offered by the 5th and 7th defendants that database access prior to or on the first day of sick leave was preparatory to an eventual return to work, finding that explanation “not remotely plausible.” It noted that the 4th defendant was accessing Hattons’ data as early as 2 June 2025 yet did not join the grievance until 27 June 2025, undermining any claimed grievance-related purpose. Significantly, all of the defendants who had submitted the grievance chose to resign between 6 June and 11 July 2025 — that is, before the independent investigator commissioned by Hattons delivered her report concluding the grievance had been brought in bad faith — rather than await vindication. A subsequent appeal to a second independent HR expert reached the same conclusion. The court drew an adverse inference from the pattern of resignations, the timing of database access, and the defendants’ physical presence at the rival company’s premises.
Key Takeaways
- Sharing login credentials to access an employer’s CRM system — even once — can constitute misuse of confidential information; doing so 115 times from a competitor’s premises is overwhelming evidence of breach, regardless of any grievance defence advanced.
- A collective grievance alleging workplace misconduct does not suspend employees’ confidentiality obligations or justify accessing and extracting commercially sensitive customer databases during sick leave.
- Courts will refuse to stay High Court proceedings pending Employment Tribunal case management hearings, particularly where the application is made late, significant costs have already been incurred, and the risk of inconsistent findings is symmetrical.
- Employees on sick leave who access, download or share their employer’s confidential customer data — including modified exports that add email address fields — do so at the risk of injunctive relief, delivery-up orders, and findings of liability in civil proceedings irrespective of parallel employment claims.
- An independent grievance investigation concluding bad faith, confirmed on appeal, will be considered by the civil court as relevant to the credibility of any grievance-based justification for data misappropriation.
Why It Matters
This judgment offers a detailed roadmap for businesses seeking to protect customer databases when employees depart to set up or join rival enterprises. It confirms that CRM audit logs recording IP addresses, access times and report downloads are cogent forensic evidence capable of establishing misuse at trial, and that the confidentiality obligations in standard employment contracts and NDAs will be enforced even where employees claim a legitimate collateral purpose for accessing data. The decision is particularly instructive on how courts will treat the grievance defence: sympathy for employees alleging workplace misconduct does not translate into a licence to extract commercial data at scale.
The case also illustrates the practical utility of the speedy-trial mechanism in commercial confidence disputes. By limiting the first hearing to liability and equitable relief rather than quantum, the court was able to resolve the core wrongdoing question within approximately ten months of the injunction being granted, leaving only damages to be assessed later. For employers discovering suspected data misappropriation, it underscores the value of preserving CRM access logs, instructing private investigators promptly, and moving quickly to injunctive relief before a rival business can embed itself in the market using the stolen customer base.