Password security for Canadian small businesses

The average cost of a data breach in Canada now sits well above five million dollars, according to IBM's 2024 Cost of a Data Breach report. PIPEDA carries fines up to $100,000 per violation. Quebec's Law 25 introduces administrative monetary penalties up to $10 million or 2% of worldwide turnover, whichever is higher. For a Canadian small business, password hygiene has stopped being an IT topic and started being a survival topic.

This guide covers what Canadian regulators expect, what the threats actually are, and the smallest set of changes that gets a small business to a defensible posture.

What PIPEDA expects

The Personal Information Protection and Electronic Documents Act applies to most private sector organizations across Canada that collect personal information in the course of commercial activity. Principle 4.7 of Schedule 1 requires that personal information be protected by security safeguards appropriate to the sensitivity of the information.

The Office of the Privacy Commissioner of Canada has interpreted this principle in dozens of investigation findings. The pattern is consistent: weak password policies, missing multi factor authentication, and unencrypted storage are repeatedly cited as failures to meet the safeguard obligation.

In a 2025 joint investigation with the UK Information Commissioner, the OPC found that 23andMe's safeguards were inadequate, in part because the company's password policy did not effectively detect compromised passwords. The recommendations included implementing a robust password policy and screening against compromised password lists. This is the bar the OPC now sets.

What Quebec's Law 25 adds

Law 25 modernized Quebec's private sector privacy law in stages from 2022 to 2024. For small businesses operating in Quebec, the practical changes most relevant to passwords:

• A designated person responsible for the protection of personal information must be appointed and identified publicly.
• Privacy by default and privacy by design are now legal requirements. Default settings on customer accounts must protect privacy without user action.
• Breaches creating a risk of serious injury must be reported to the Commission d'accès à l'information and to affected individuals.
• Administrative monetary penalties can reach $10 million or 2% of worldwide turnover.

The CAI takes its mandate seriously. Quebec businesses cannot rely on the federal regime as a ceiling.

The threats most likely to hit a small business

Small businesses are not too small to attack. They are often easier to attack than large enterprises, because security investment is lower. The most common patterns Canadian small businesses see:

Credential stuffing

Attackers take passwords leaked from other sites and try them against your customer accounts and your own admin logins. If your team reuses personal passwords for work, this can become an internal compromise without anything novel happening on your network.

Business email compromise

An attacker phishes a finance or executive email account, then sends invoice payment instructions from inside the real account. Average loss per incident in Canada now exceeds six figures. Multi factor authentication on email is the primary defence.

Ransomware via remote access

Many ransomware incidents in Canada start with a leaked password for a remote desktop or VPN account. The CRA breach of 2020, where 11,000 taxpayer accounts were compromised through credential stuffing, is the public sector parallel of what hits private companies all the time.

The minimum viable security baseline

For a Canadian small business, the following set covers the largest share of realistic risk for the smallest investment.

1. Deploy a business password manager

A business password manager gives you central administration, the ability to share credentials securely with the right team members, and audit logs of who accessed what. 1Password Business, Bitwarden Teams, and Proton Pass for Business are common choices. We compare options in our password manager guide for Canadians, with a focus on individual users; the business versions of those same products extend the same logic.

2. Enforce multi factor authentication

Every admin account, every shared service, every email account. The Canadian Centre for Cyber Security recommends this as a baseline control. The cost is essentially zero with authenticator apps. The protection is enormous: Microsoft research indicates MFA blocks more than 99% of automated account takeover attempts.

3. Block common and breached passwords at signup

If your platform lets customers create accounts, screen new passwords against breach databases. Have I Been Pwned offers a free Pwned Passwords API for exactly this purpose. The user experience cost is one extra check at the moment of password creation. The security benefit is significant.

4. Document a password and access policy

The Privacy Commissioner of Canada will ask to see your written policy in any post incident review. The policy does not need to be long. It needs to specify minimum length, MFA requirements, the password manager you use, the offboarding process for departing staff, and how you respond to suspected compromise.

5. Set a clean offboarding routine

When someone leaves, all their access goes. SSO accounts, shared logins, file storage, customer data tools. Access removal should happen on the day of departure, not the week of departure. Audit this every quarter to catch anything that was missed.

Where to host your password manager data

This question matters more for businesses than for individuals. Storing customer credentials or business credentials in a US datacentre may have implications under PIPEDA's accountability principle and under Law 25's specific cross border transfer rules.

Most major business password managers now offer regional data residency. 1Password lets you choose AWS regions including Canada. Bitwarden offers EU data residency on paid plans. Proton Pass is hosted in Switzerland by default. If your customers are predominantly Canadian and you handle sensitive data, a Canadian or EU region is a defensible choice.

What to do after a breach

If you discover unauthorized access:

1. Contain. Force password resets on affected accounts. Revoke active sessions. Disable any account showing suspicious activity.
2. Assess. What data was accessible to the compromised account? Customer records, payment data, employee files? This determines whether the breach meets the real risk of significant harm threshold under PIPEDA, or risk of serious injury under Law 25.
3. Report. If the threshold is met, notify the OPC (or the CAI in Quebec) and affected individuals as soon as feasible. The OPC's online breach report form is at priv.gc.ca.
4. Document. PIPEDA requires you to keep records of every security incident for at least 24 months, even ones that did not meet the reporting threshold.
5. Improve. Identify the root cause. Most password related incidents trace back to a missing MFA, a reused credential, or a stale account that should have been disabled.

The cost of doing nothing

The cheapest version of a password incident is the one that did not happen. Once a Canadian small business reaches the breach reporting threshold, the costs compound: legal fees for the report, customer notification, regulatory engagement, possible class action exposure, reputational harm, and direct fraud losses.

The five steps in this article take a small business from no real password posture to a defensible one in roughly two weeks of part time work. The investment, in time and dollars, is small relative to a single incident.

The takeaway

Canadian privacy law expects organizations to protect personal information with safeguards proportional to its sensitivity. Password hygiene is one of the most basic of those safeguards, and one of the easiest to get visibly wrong. A business password manager, MFA across the board, and a written policy will get a small business most of the way there.

The remaining steps are the ones that catch organizations of any size off guard: clean offboarding, breached password screening, and documented incident response. None of them are technically hard. All of them are organizationally easy to forget. The job is to remember.