If you run a small business, you might think the dark web is something that only affects big corporations, tech companies, or government agencies.
In reality, small businesses are often the easiest targets.
When customer details, staff logins, invoices, or payment information end up on the dark web, the impact can go far beyond “IT issues”. It can trigger privacy and contract compliance obligations, customer disputes, regulatory scrutiny, reputational damage, and (in some cases) extortion demands.
The good news is you don’t need to be a cyber security expert to improve your legal position. Once you understand what the dark web is (and how it connects to day-to-day business risks), you can put practical policies and processes in place to reduce your exposure and respond quickly if something goes wrong.
What Is The Dark Web (And Why Does It Matter For Business)?
People often use the terms “internet”, “deep web”, and the dark web as if they mean the same thing. They don’t.
The “Surface Web” vs “Deep Web” vs The Dark Web
- Surface web: pages that are publicly accessible and indexed by search engines (for example, your website homepage).
- Deep web: content that isn’t indexed by search engines, usually because it’s behind a login (think email inboxes, private client portals, accounting systems, online banking, subscription dashboards).
- The dark web: a small subset of the deep web that requires special tools to access and is designed to provide a higher level of anonymity. It’s where you often see marketplaces and forums for stolen data, compromised credentials, and hacking tools.
It’s important to be clear: the dark web itself isn’t automatically illegal. There are lawful uses (including privacy-protecting activity in oppressive regimes). The legal risk for your business usually comes from
how criminals use it - for example, selling your customer database, publishing stolen passwords, or trading access to your systems.
What Kind Of Business Data Ends Up On The Dark Web?
For Australian small businesses, the dark web most commonly involves:
- Login credentials (email addresses + passwords) taken from breaches or phishing attacks
- Customer personal information (names, phone numbers, emails, addresses, dates of birth)
- Employee information (payroll data, tax file details, HR records)
- Payment data (card details, billing data, refund records)
- Commercially sensitive data (supplier pricing, contracts, product roadmaps, internal emails)
Even if you feel your business “doesn’t hold much data”, a single compromised staff email account can give an attacker access to quotes, invoices, customer threads, attachments, and password reset links to other systems.
Why Australian Small Businesses Should Care About The Dark Web
If your business data is circulating on the dark web, the issue isn’t just that it exists - it’s what can happen
next.
It Can Lead To Real-World Fraud And Business Interruption
Once criminals have access to credentials or email threads, they may attempt:
- Invoice scams (changing bank details, intercepting payments, impersonating suppliers)
- Account takeovers (email, social media, payroll, cloud storage)
- Ransomware/extortion (locking data or threatening to publish it)
- Identity fraud affecting your customers, contractors, or staff
This is where the dark web becomes a practical business risk - because it can quickly turn into lost revenue, downtime, and expensive remediation.
It Can Trigger Legal Duties (Not Just “Best Practice”)
Depending on your business and the kind of information exposed, you may have obligations under:
- Privacy laws (including the Privacy Act 1988 (Cth) for some businesses, and privacy obligations that can also arise through contracts)
- Australian Consumer Law (ACL) (for example, if statements you make about privacy or security are misleading or deceptive, or if your data handling practices cause consumer harm in circumstances where the ACL applies)
- Employment and workplace obligations (for example, confidentiality duties and complying with workplace policies, and in some cases responding appropriately if staff information is compromised)
- Contractual obligations (for example, confidentiality clauses, data handling clauses, vendor agreements, and client terms)
In other words, a dark web incident is often a
legal and operational issue at the same time.
The Key Legal Risks When Your Data Appears On The Dark Web
Let’s break down the main legal risks Australian small businesses should think about when the dark web is involved.
1. Privacy Compliance And The Notifiable Data Breaches (NDB) Scheme
If your business is covered by the Privacy Act (or you are contractually required to meet similar standards), you may need to consider whether the incident is an
eligible data breach under the Notifiable Data Breaches (NDB) scheme.
Many small businesses are not covered by the Privacy Act due to the small business exemption (which can apply where your annual turnover is $3 million or less). However, there are important exceptions, and some small businesses are covered - for example, if they provide a health service, trade in personal information, or are otherwise caught by the Privacy Act. Even where the Privacy Act does not apply, you may still have privacy and security obligations through contracts, industry requirements, or customer expectations.
Generally speaking, an eligible data breach is where there has been unauthorised access to or disclosure of personal information (or loss of personal information), and the incident is likely to result in serious harm, and you haven’t been able to prevent that harm through remedial action.
This is not always straightforward. You often need to assess:
- what information was accessed
- who it relates to (customers, staff, suppliers)
- what protections were in place (encryption, access controls)
- the realistic likelihood of harm (fraud risk, identity theft risk, safety risk)
- what you can do immediately to reduce harm (password resets, account lock-outs, takedown requests)
Having an incident plan can make the difference between a controlled response and a rushed one. Many businesses document their approach through a
Data Breach Notification process so internal teams know what to do and when to escalate.
2. Misleading Statements And Customer Trust
Small businesses often reassure customers with statements like:
- “We take your privacy seriously”
- “Your data is secure with us”
- “We never share personal information”
These may be well-intended, but they can create risk if they’re not accurate in practice. If a breach occurs and it turns out you weren’t handling personal information in the way you described, this can lead to complaints, disputes, and reputational damage.
This is why it’s so important your
Privacy Policy matches what you actually do - and is updated when your systems or vendors change.
3. Confidentiality And Contractual Liability
Even if you’re not covered by the Privacy Act, you may have confidentiality obligations in:
- client contracts
- NDAs
- supplier and distributor agreements
- platform and SaaS contracts (where you’re a service provider)
If sensitive client information ends up on the dark web, the legal question often becomes:
did you take reasonable steps to protect it?
What is “reasonable” depends on your business size, the sensitivity of data, and industry expectations. But having clear internal controls, access rules, and documented practices usually puts you in a stronger position.
4. Employee Misuse, Policy Gaps, And Insider Risk
Not every dark web incident comes from an external hacker. Sometimes access happens through:
- weak internal passwords
- shared logins across staff
- staff downloading client data onto personal devices
- ex-employees retaining access
- contractors being given too much access
From a legal risk perspective, if you don’t set clear expectations with your team, it can be harder to enforce standards later. This is where having documented rules (and making sure staff actually understand them) matters.
Depending on your setup, it may be appropriate to put an
Acceptable Use Policy in place (covering passwords, devices, file sharing, and access to business systems), alongside broader
Workplace Policies that set day-to-day standards.
5. Payment Data Handling Risks (And Higher Stakes If You Store Card Details)
If your dark web exposure involves payment data, the stakes can increase quickly - because payment fraud can happen fast and can impact a large number of customers.
One high-risk area is storing credit card details (even if it feels convenient for subscriptions, repeat orders, or “one-click” customer experiences). If you’re handling payment information, it’s worth reviewing your practices carefully and documenting what you store, why you store it, and how it’s protected, including the legal issues around
storing credit card details.
How Do You Reduce Dark Web Risk While Staying Compliant?
There’s no single “silver bullet” for dark web risk. But there are a few practical legal and operational steps that make a meaningful difference for small businesses.
1. Know What Data You Collect (And Why)
A simple but powerful first step is data mapping. Ask:
- What personal information do you collect?
- Where is it stored (CRM, email, spreadsheets, cloud drives)?
- Who can access it (staff, contractors, virtual assistants)?
- How long do you keep it?
- Who do you share it with (payment processors, marketing platforms, booking systems)?
You can’t protect what you can’t see. This is also the foundation for having an accurate Privacy Policy and responding quickly if an incident occurs.
Cyber security is partly technical, but it’s also behavioural. Policies help you set expectations and show you take reasonable steps.
Many businesses use an
Information Security Policy to cover things like access controls, password standards, device rules, reporting suspicious activity, and vendor management.
Done properly, this is not just “paperwork”. It becomes the playbook your team follows when they’re busy, onboarding new staff, or dealing with suspicious emails.
3. Tighten Access And Offboarding Processes
A lot of avoidable incidents come down to access management. Some practical steps include:
- use unique logins (avoid shared accounts)
- use multi-factor authentication (MFA) wherever possible
- limit admin access to only those who need it
- remove access immediately when someone leaves (including contractors)
- regularly review who has access to what
This is also where your employment documentation matters. An
Employment Contract can reinforce confidentiality obligations and clarify expectations about business systems, devices, and information handling.
4. Reduce The Risk Of Email-Based Fraud
Email is still one of the most common “entry points” for breaches and dark web exposure - usually through phishing or compromised credentials.
From a process perspective, it’s worth implementing rules like:
- never changing bank details based on email alone (require verification)
- training staff to spot urgent, unusual requests
- using a second channel (phone call to a known number) to confirm payment changes
While it won’t stop a breach, it can help reduce third-party reliance and clarify what your emails do (and don’t) mean. Depending on your business, you might also consider an
Email Disclaimer as part of your internal communication controls.
5. Make Sure Your Privacy Disclosures Match Reality
If you say you delete information after a period, do you actually delete it? If you say you don’t share data, are you using third-party marketing tools that do share data?
These details matter more than many business owners realise - because after a breach, customers, business partners, and sometimes regulators will look closely at what you told people and what you did in practice.
What Should You Do If You Suspect Your Business Data Is On The Dark Web?
Finding out your data may be on the dark web can feel confronting, especially if you’re a small team already stretched thin.
The key is to act quickly, stay organised, and avoid making assumptions. Here’s a practical approach.
- Reset passwords (and require resets for compromised accounts)
- Enable MFA if it isn’t already turned on
- Disable suspicious accounts or sessions
- Check forwarding rules in email accounts (a common tactic in business email compromise)
- Patch systems and remove unauthorised access
If the issue involves a vendor or cloud system, you may need to coordinate with that provider quickly.
Step 2: Preserve Evidence (Don’t “Clean Up” Too Fast)
It’s natural to want to delete things and move on. But you should also preserve logs, emails, screenshots, and timelines. This can help you:
- work out what actually happened
- show what steps you took and when
- meet notification or contractual obligations
- support any insurance claim (if applicable)
Step 3: Assess Whether You Need To Notify Anyone
This is where you consider privacy obligations, contractual obligations, and practical risk management.
If the Privacy Act and NDB scheme apply to your business, you may need to assess whether this is an eligible data breach and whether you must notify affected individuals and the Office of the Australian Information Commissioner (OAIC). Even if the NDB scheme does not apply (for example, due to an exemption), notification may still be required under a contract, or may be a sensible step to help people protect themselves.
Notification isn’t just about “ticking a box”. Done properly, it should help affected people protect themselves (for example, by changing passwords, monitoring accounts, or being alert to scams).
If you have a documented process for
Data Breach Notification, it’s much easier to work through this step calmly and consistently.
Step 4: Communicate Carefully (And Consistently)
In a dark web incident, rushed communication can create extra problems. Common mistakes include:
- overstating what you know (“no customer data was affected” before you’ve confirmed)
- understating the risk (which damages trust later)
- inconsistent messaging between your customer service team, website, and email updates
Aim to communicate what you know, what you’re investigating, what steps you’ve taken, and what customers should do next.
Step 5: Review Your Legal Documents And Policies
After an incident, it’s worth reviewing:
- your Privacy Policy and internal security policies
- your customer terms (especially any confidentiality, liability, and security-related terms)
- contracts with service providers who may have been involved
- internal access rules and offboarding processes
This is not about blaming anyone - it’s about strengthening your business so the same pathway can’t be used again.
Key Takeaways
- The dark web is often where stolen business data and login credentials are traded, which can lead to fraud, ransomware, and customer harm.
- If personal information is involved, a dark web incident may trigger privacy compliance steps, including assessing whether notification obligations apply (but this depends on whether the Privacy Act and NDB scheme apply to your business, and/or what your contracts require).
- Legal risk often comes from a mix of privacy obligations, confidentiality clauses, and what you’ve promised customers about security and data handling.
- Practical protections include limiting access, improving staff processes, and putting clear security expectations in writing (policies matter).
- If you suspect data is on the dark web, act quickly to contain the risk, preserve evidence, assess notification needs, and communicate carefully.
- Strong legal documents (like a Privacy Policy, employment contracts, and internal policies) help you prevent incidents and respond more confidently if one happens.
Note: This article is general information only and does not constitute legal advice. If you need advice about your specific circumstances (including whether the Privacy Act applies to your business or whether you need to notify), you should get legal advice.
If you’d like help reviewing your privacy compliance, data breach response steps, or internal policies for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
