What Should You Do If Your Small Business Has a Data Breach?

You open your email one morning and see a suspicious login alert. Or worse – a customer calls you to say their information has been compromised. Genuine panic sets in. What are you supposed to do?

You’re not alone, and you’re not out of options. Data breaches and cyberattacks impacted nearly 30% of Canadian businesses in 2025, with organizations paying an average of $6.98 million per breach, according to IBM’s 2025 Cost of a Data Breach Report.

If you suspect your small business suffered a data breach, don’t panic – there are steps you can take to limit the damage. 

We’ll walk you through what you need to do immediately, the steps you can take to avoid breaches in the future, and how cyber liability insurance helps business owners recover quickly from data breaches.

Why Small Businesses Are Prime Targets for Data Breaches

Small businesses are prime targets for cyberattacks and data breaches for a number of reasons, including:

• Small businesses and self-employed professionals tend to have less sophisticated cybersecurity infrastructure than large corporations
• Small businesses often store high-value data, such as customer payment info, customer profile records, and contact information, and employee-related data
• Most small businesses don’t have a dedicated IT security team to manage breaches and attacks
• Hackers and cybercriminals know small businesses are less likely to detect data breaches quickly, giving them the opportunity to exploit their confidential data

It’s not really a question of “if” your business will fall prey to a data breach; it’s a matter of “when” it will happen.

What Counts As a Data Breach?

A data breach occurs when sensitive, confidential, or personal information is accessed, stolen, exposed, or disclosed to unauthorized parties. They can happen by accident or through cyberattacks (such as phishing or ransomware).

Common examples of small business data breaches include:

• A hacked email account exposing your customers’ information (credit cards, customer records, or passwords)
• A lost or stolen laptop or mobile phone that can access confidential customer data
• Ransomware locks access to your business’s files
• An employee accidentally sent sensitive data to the wrong person
• An email phishing attack that successfully harvests your login credentials

It doesn’t have to be a dramatic Hollywood-style hack. Some of the most damaging breaches start with a single misaddressed email or a stolen phone.

What to Do Right After a Data Breach (First 24 Hours)

Acting fast is critical if your business has been hit by a data breach. Follow these steps as quickly as possible:

Contain the Breach First

Your first priority is stopping the bleeding. Move quickly to disconnect compromised computers, laptops, servers, or networks from the internet to prevent further unauthorized access. Securing affected systems by taking them offline can help contain the attack while it’s in progress.

Don’t delete anything, even if it looks like junk. Preserving evidence matters, especially if you need to file an insurance claim or report the breach to regulators.

Notify the Right People Immediately

If you have a dedicated IT security team or cybersecurity consultant, contact them immediately and have them investigate the attack and take action to minimize the damage.

Also, contact your financial institution and credit card provider. The incident should also be reported to the Canadian Anti-Fraud Centre and the Canadian Centre for Cyber Security. 

It’s advisable to also notify Canada’s two primary credit reporting bureaus – Equifax Canada and TransUnion Canada – and have them include a fraud alert to your business’s credit report.

Assess the Damage

Determine which systems, accounts, and customer data were infiltrated during the breach. Identify all compromised or stolen assets, including customer and financial data, as well as confidential business records.

Document Everything

Under Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations must keep records of breaches, and they must report them to the Office of the Privacy Commissioner of Canada (OPC) when the breach creates a real risk of harm.

Document all details about the incident, including what took place, when it happened or was discovered, what systems were compromised, what data was stolen, and if the attackers demanded a ransom.

Talk to your employees to see if they know about the event, and record those conversations. Make sure they know who to contact with information they have that could aid the investigation of the breach.

Change Your Passwords

Immediately change passwords for all affected accounts (email, website backend, data systems, cloud storage, social media accounts) and require all employees to do the same.

If you’re not using multifactor authentication (MFA) to access critical accounts and systems, enable it for all employees right now.

Notify Your Insurance Broker

Contact your insurance broker as soon as possible. They may recommend you file an insurance claim.

If you’re a Zensurance client, let us know (you can call Zensurance toll-free at 1-888-654-6030). Have the following details on hand, including:

• The name of your business, your business’s address, phone number, and an email address to contact you.
• Your business insurance policy number and the name of the insurance company that underwrites your policy.
• Share all relevant details and records of the incident.

Inform Your Customers

If your customers, suppliers, and business partners’ personal information is compromised, be transparent with them by informing them of the breach. Be honest about it, fast, and human. Provide details of what information was exposed and the actions your business is taking to resolve the issue. Remember: a poor response to communication can be more damaging than the breach itself.

The Hidden Costs of a Data Breach (That Many Owners Don’t Expect)

This is where it gets serious. Here’s what’s really at stake if your company suffers a data breach:

• You may face regulatory fines and compliance penalties
• Affected customers or clients could sue you
• Breach investigation and forensics come with costs
• You’re legally required to notify affected parties, and that process costs money too
• The reputational damage to your business could be crushing. Customer trust is hard to rebuild
• Your business operations will be interrupted, meaning significant downtime and lost revenue

Here’s a real-world example of what that looks like:

One of our clients in the healthcare industry was a victim of a ransomware attack in 2025 that resulted in the theft of their data and a ransom demand to release it. Their cyber insurance policy covered over $200,000 in remediation, credit monitoring fees, legal counsel expenses, notification costs and employee overtime to deal with the fallout and get back to business.

Without that policy, those costs would have come straight out of pocket. For many small businesses, that’s a business-ending scenario. That is precisely why your business should have cyber liability insurance.

How Does Cyber Liability Insurance Protect Business Owners From Data Breaches?

Cyber liability insurance keeps a data breach from becoming a business-ending event. A typical cyber insurance policy includes coverage for:

• Incident Response Expenses: Coverage for the cost of access to a 24/7 cyber incident response hotline and a dedicated team to assist you in coordinating an incident response following a cybercrime.
• Legal, Forensic, and Breach Management Fees: Coverage for legal advice, notification fees, crisis management services, and credit monitoring.
• System Damage and Restoration Costs: Repairs and restoration of the software systems damaged during the cyber event.
• System Business Interruption: Coverage for income losses sustained due to a system outage resulting from a breach or attack.

One thing to be clear about: A general liability insurance policy does not cover cyberattacks or data breaches. You need a dedicated cyber liability policy.

And if you’re self-employed or a sole proprietor? You’re not exempt. You store client data, you handle financial information, and you’re just as liable if that data is exposed.

Download our free guide, “Cyber Liability Insurance: How to Protect Your Small Business From Cyber Threats”, for actionable, inexpensive steps you can take to strengthen your cybersecurity defences.

How to Reduce Your Risk of a Data Breach

The best time to prepare for a data breach is before it happens. Here’s what every small business owner should have in place:

• Keep all software, apps, and operating systems updated. Outdated software is one of the most common entry points for attackers.
• Use strong, unique passwords for every account, and use a password manager to keep track of them.
• Enable multi-factor authentication (MFA) on every account that supports it.
• Train your employees to recognize phishing emails and social engineering attempts.
• Back up your data regularly to both an off-site location and a secure cloud storage service.
• Create a written incident response plan. Even a simple one-page document helps you act fast if the worst happens.

Preparedness isn’t paranoia. It’s just good business.

Resources for Small Businesses in Canada to Manage Data Breaches

• The Office of the Privacy Commissioner of Canada (OPC) provides a free online tool to assess whether a breach poses a risk of significant harm to your customers and whether you are required to report it.
• The Insurance Bureau of Canada’s Cybersavvy website offers cyber insurance checklists, guidance on how to create a cybersecurity plan, and a 10-question cyber insurance assessment tool.
• The Canadian Centre for Cyber Security provides advice and guidance for small business owners on how to increase their cybersecurity protection, as well as cyber alerts and advisories to be aware of.

Frequently Asked Questions About Cyber Liability Insurance in Canada

How common are data breaches for small businesses in Canada?

It’s very common, and it’s getting worse. According to the Business Development Bank of Canada, 73% of small businesses in Canada experienced a cybersecurity incident in 2025. Meanwhile, a Zensurance online poll of 1,000 Canadian small business owners last year found more than half (53%) had experienced an attack.

Is cyber liability insurance required in Canada?

Cyber liability insurance is not legally required in Canada. However, many professions and industry associations require it (for example, accounting and financial services). It’s highly recommended that all business owners include cyber liability insurance in their overall business insurance policies to safeguard against the likelihood of a data breach or cyberattack.

How much does cyber liability insurance cost?

A cyber liability insurance policy with a low coverage limit of $50,000 or less is typically included with a professional liability insurance policy for an additional $100 to $200 per year. Business owners who store sensitive data or require a higher coverage limit may opt for a standalone policy, which costs approximately $750 to $1,000 per year.

What’s the difference between general liability and cyber liability insurance?

General liability insurance covers your business for third-party bodily injury and property damage that harms others on your business premises or because of your usual operations. Cyber liability insurance covers the cost of managing data breaches and different types of cyberattacks (phishing, ransomware, denial-of-service attacks, malware). They’re not interchangeable. You need both.

What should I do first if my small business has a data breach?

Contain it immediately. Disconnect any affected devices from your network, preserve all evidence, and contact your IT support or cybersecurity consultant. Then notify your insurance broker, your financial institution, and the relevant Canadian authorities. Time is critical – every hour of inaction increases the damage.

Cyber Insurance Isn’t Optional Anymore – Get a Free Quote

Protect your business, reputation, and finances from cyberattacks and data breaches with comprehensive cyber liability insurance.

The businesses that survive data breaches are the ones that are prepared. Don’t wait until you’re already in crisis mode.

Complete our online application for a free quote in less than 5 minutes.

Our knowledgeable team of insurance brokers will shop our partner network of over 50 insurers to get the right cyber insurance to address your risks and customize it to suit your budget.