I didn't mention this in the opening, but I did my MBA thesis on small and medium-sized enterprise, the compliance with PIPEDA and CASL, and the impacts on those small firms. I went so far as to do a survey of small businesses, and did some focus-group testing with them as well.
The issue that you'll run into is one that you mentioned. A larger corporation would be able to survive. If you hit them with $100,000 penalty, they can pay it and continue on with the business they were doing. When it comes to a smaller enterprise, $100,000 would definitely be the difference between that business continuing and ceasing operations and filing for bankruptcy.
In the case of a data breach, the business is being victimized by a hacker who has infiltrated their system and removed information in order to either damage that enterprise or collect personal information about their customers. With regard to having rules and regulations in place that require companies to understand that they need to keep the information they collect secure, that understanding is already there.
Penalizing a small enterprise for being the victim of a data breach is probably not the best course of action. Bringing them in and having the OPC sensitize them to an understanding of what happened in the hack, doing the investigation—they'll understand the engineering behind it—is probably a better course.
That's the system now. They bring in the small and medium-sized enterprise and explain what the issues were, and ensure that they're compliant going forward.