[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4772 Introduced in House (IH)]

<DOC>






116th CONGRESS
  1st Session
                                H. R. 4772

 To provide for the protection of proprietary information provided to 
   the Commodity Futures Trading Commission, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            October 21, 2019

 Mr. Rodney Davis of Illinois introduced the following bill; which was 
                referred to the Committee on Agriculture

_______________________________________________________________________

                                 A BILL


 
 To provide for the protection of proprietary information provided to 
   the Commodity Futures Trading Commission, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``CFTC Cybersecurity and Data 
Protection Enhancement Act''.

SEC. 2. PROTECTION OF PROPRIETARY INFORMATION BY THE COMMODITY FUTURES 
              TRADING COMMISSION.

    Section 8(a) of the Commodity Exchange Act (7 U.S.C. 12(a)) is 
amended--
            (1) in the first proviso of paragraph (1), by striking 
        ``customers:'' and inserting ``customers, or disclose the 
        proprietary information of any person:''; and
            (2) by adding at the end the following:
    ``(4) Treatment of Proprietary Information.--
            ``(A) Written request; agreement.--Except as provided in 
        subparagraph (B), the Commission shall not examine, receive, 
        obtain, or otherwise access the proprietary information of any 
        person subject to this Act, unless--
                    ``(i) the Commission has transmitted to the person 
                a written request for the information, which details--
                            ``(I) the records sought by the Commission;
                            ``(II) a reasonable schedule to fulfill the 
                        request;
                            ``(III) the method proposed for the 
                        Commission to be provided with access to the 
                        records;
                            ``(IV) any reasonable requirements for data 
                        structures or file formats of the records; and
                            ``(V) an explanation of the purpose of the 
                        request; and
                    ``(ii) the person has agreed to the request.
            ``(B) Exceptions.--Subparagraph (A) shall not apply with 
        respect to proprietary information of a person if--
                    ``(i) the person has been served with a subpoena 
                compelling the person to provide the Commission with 
                access to the information;
                    ``(ii) the information is otherwise required by or 
                under this Act to be disclosed to the Commission;
                    ``(iii) the information was received from a 
                whistleblower pursuant to section 23;
                    ``(iv) the information was lawfully obtained from a 
                foreign or domestic authority in connection with a 
                confidential investigation by the Commission; or
                    ``(v) the person has agreed to provide the 
                Commission with access to the information.
            ``(C) Obligations of the recipient.--
                    ``(i) Acknowledgement of receipt of request.--
                Within 3 business days after a person receives a 
                request made in accordance with subparagraph (A) or a 
                subsequent communication from the Commission in 
                relation to the request, the person shall acknowledge 
                to the Commission that the recipient has received the 
                request or communication.
                    ``(ii) Response to request.--Within 10 business 
                days after a person receives such a request or 
                communication, the person shall respond to the request 
                or communication in accordance with subparagraph (D).
                    ``(iii) Retention of requested records.--A person 
                who receives such a request shall retain all records 
                identified in the request until the request or any 
                subpoena for the records has been resolved.
            ``(D) Response options of the recipient.--A person who 
        receives such a request shall--
                    ``(i) agree to, and comply with, the request;
                    ``(ii) request the Commission to provide additional 
                information regarding the request;
                    ``(iii) request the Commission modify any aspect of 
                the request;
                    ``(iv) seek a review of any aspect of the request 
                by the Commission or a division director to whom the 
                authority to conduct such a review has been delegated; 
                or
                    ``(v) refuse the request.
    ``(5) Establishment of Rules for Safeguarding Information Provided 
to the Commission.--
            ``(A) In general.--The Commission shall prescribe rules 
        regarding--
                    ``(i) the retention of information provided to the 
                Commission under this Act, including--
                            ``(I) the manner of retention;
                            ``(II) the duration of retention, which 
                        shall ensure that information is retained for 
                        only so long as is necessary to carry out this 
                        Act or other Federal law; and
                            ``(III) the process for the return or 
                        destruction of the information, as appropriate; 
                        and
                    ``(ii) access to information provided to the 
                Commission under this Act, including--
                            ``(I) limitations on access to relevant, 
                        essential individuals; and
                            ``(II) additional limitations on disclosure 
                        by the individuals, including after leaving a 
                        position at the Commission.
            ``(B) Incorporation of best practices.--The rules shall 
        incorporate best practices regarding--
                    ``(i) data collection;
                    ``(ii) data access;
                    ``(iii) data retention;
                    ``(iv) physical security; and
                    ``(v) information security and data protection, 
                including cybersecurity.
    ``(6) Proprietary Information Defined.--In this subsection, the 
term `proprietary information' means sensitive, non-public information 
of a person, including--
            ``(A) trading strategies;
            ``(B) analytical or research methodologies;
            ``(C) trading activity in asset classes and not subject to 
        this Act;
            ``(D) physical and cyber vulnerabilities; and
            ``(E) computer hardware or software containing intellectual 
        property.''.
                                 <all>