GBLA (Gramm-Leach-Bliley Act) requires financial institutions doing business in the US to establish appropriate standards for protecting the security and confidentiality of customers’ non-public personal information. The objectives are to:

  • Ensure the security and confidentiality of customer records and information
  • Protect against any anticipated threats or hazards to the security or integrity of such records
  • Protect against unauthorized access to information which could result in substantial harm or inconvenience to any customer


The Federal Financial Institutions Examination Council (FFIEC) states the following:

“Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.” Financial Institutions that do not deploy encryption may be called upon by the FFIEC to prove that it considered deploying encryption and justify why it decided against it.

Data Fields Requiring Protection:

GLBA requires protection and recommends protection for the following fields:

  • Customer names
  • Addresses
  • Social security numbers
  • Email address
  • Account numbers
  • Login IDs, passwords, and answers to personal questions
  • Customer locator numbers and IDs
  • Attachments


If the information above is encrypted, the following fields do not require protection because this data is considered anonymized:

  • Dollar amounts
  • Transaction dates
  • Call center data such as duration of calls, date or time of call
  • Bank or associated branch
  • Officer codes
  • Categorizations such as industry, SEC code, issue type, etc.

Breach Notification Requirements and Exemptions

GLBA requires public notification of breaches. However, the loss of adequately encrypted data is not generally considered a breach, and is exempt from notification requirements.

CipherCloud Enables GLBA Compliance with:

  • Strong encryption and tokenization for cloud data, meeting GLBA standards for data protection
  • Encryption keys controlled exclusively by customers, meeting “pseudonymization” requirements
  • Exemption from breach notification requirements by effectively anonymizing data
  • Technology specifically called for to meet Privacy by Design and Default principals
  • Dramatic reduction in audit scope by removing data exposure to cloud providers

Questions? We'll put you on the right path.

Ask about CipherCloud products, pricing, implementation, or anything else. Our knowledgeable reps are standing by, ready to help.

OR CALL 1-855-524-7437