GLBA Cloud Compliance

Cloud security and privacy in context of GLBA

What is the Gramm-Leach-Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act (GLBA) is a United States federal regulation to protect consumer financial privacy. The regulation provides restrictions on the sharing of consumer financial information to third parties, a practice that many financial institutions and organizations engage in. GLBA require financial institutions – defined broadly to encompass companies that provide financial services or products – to disclose their information-sharing practices to customers and make clear the right to ‘opt-out’ of this information sharing with nonaffiliated third parties.

GLBA also establishes restrictions on the reuse and re-disclosure of a customer’s financial information. In addition, the GLBA Data Protection Rule requires appropriate administrative, technical and physical safeguards on the customer data. Even if the financial institution does not disclose nonpublic financial information to third parties, GLBA compliance is still mandatory.

GLBA calls for severe civil and criminal penalties for noncompliance, including fines and imprisonment. If a financial institution violates GLBA:

  • The institution will be subject to a civil penalty of not more than $100,000 for each violation
  • Officers and directors of the institution will be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation
  • The institution and its officers and directors will also be subject to fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years, or both

Violations of GLBA can also result in a number of sanctions and can adversely affect an institution’s reputation.

Who does it apply to?

GLBA applies to all businesses that are ‘significantly’ engaged in providing financial products or services to consumers. Companies not traditionally considered to be financial institutions but provide financial products or services such as check-cashing businesses, payday lenders, mortgage brokers, non-bank lenders, retailers, ATM operators and credit reporting agencies are similarly required to comply with GLBA.

What data are protected?

  • Nonpublic personal information: personally identifiable financial information collected in connection with providing a financial product or service or otherwise collected by a financial institution.
  • Nonpublic personal information includes:
    • Customer name, address, social security number, account number
    • Information a customer provides on an application
    • Information obtained on a legal document that pertains to a summons, bankruptcy, divorce, etc.
    • Information from a “cookie” obtained in using a website
    • Information on a credit report obtained by a financial institution


Security Requirements

Insure the security and confidentiality of customer information. Protect against any anticipated threats or hazards to the security or integrity of such information. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

Financial privacy rule

This rule requires that financial institutions provide a notice of its privacy policies and practices with respect to disclosure of consumer information to third parties. The rule also requires financial institutions to allow the consumer to opt-out of the disclosure of their personal information to a nonaffiliated third party.

Safeguards rule

This rule requires financial institutions to develop, implement and maintain a written information security program detailing the administrative, technical and physical safeguards that are in place to protect nonpublic financial information of its consumers. The information security program must be updated according to any changes in the organization or based on information gleaned from monitoring.

A Preliminary Checklist for Cloud Compliance


Provide education like coaching messages to employees and consultants about security best practices and protecting the organization’s IT infrastructure.

Audit and monitor

Regularly monitor traffic within your network and to and from the cloud and test these systems and processes and identify any unauthorized changes and configurations.

Access control

Implement strong access control measures to all IT infrastructure.

Risk management

Implement a risk management process to identify, measure, monitor and manage risk.

Trusted by leading companies

Top CASB Use Cases for Financial Services — ebook

Learn about the top 3 CASB use cases for financial services firms to secure cloud usage.

Learn more

Tackle the NYDFS Cybersecurity Requirements with Netskope – whitepaper

Read how NYDFS regulations may apply to your organization and how Netskope helps with cloud compliance.

Learn more

Want to see Netskope in action?

Request a Demo