

116 HR 4772 IH: CFTC Cybersecurity and Data Protection Enhancement Act
U.S. House of Representatives
2019-10-21
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



I116th CONGRESS1st SessionH. R. 4772IN THE HOUSE OF REPRESENTATIVESOctober 21, 2019Mr. Rodney Davis of Illinois introduced the following bill; which was referred to the Committee on AgricultureA BILLTo provide for the protection of proprietary information provided to the Commodity Futures Trading
			 Commission, and for other purposes.
	
 1.Short titleThis Act may be cited as the CFTC Cybersecurity and Data Protection Enhancement Act. 2.Protection of proprietary information by the Commodity Futures Trading CommissionSection 8(a) of the Commodity Exchange Act (7 U.S.C. 12(a)) is amended—
 (1)in the first proviso of paragraph (1), by striking customers: and inserting customers, or disclose the proprietary information of any person:; and (2)by adding at the end the following:
				
					(4)Treatment of proprietary information
 (A)Written request; agreementExcept as provided in subparagraph (B), the Commission shall not examine, receive, obtain, or otherwise access the proprietary information of any person subject to this Act, unless—
 (i)the Commission has transmitted to the person a written request for the information, which details— (I)the records sought by the Commission;
 (II)a reasonable schedule to fulfill the request; (III)the method proposed for the Commission to be provided with access to the records;
 (IV)any reasonable requirements for data structures or file formats of the records; and (V)an explanation of the purpose of the request; and
 (ii)the person has agreed to the request. (B)ExceptionsSubparagraph (A) shall not apply with respect to proprietary information of a person if—
 (i)the person has been served with a subpoena compelling the person to provide the Commission with access to the information;
 (ii)the information is otherwise required by or under this Act to be disclosed to the Commission; (iii)the information was received from a whistleblower pursuant to section 23;
 (iv)the information was lawfully obtained from a foreign or domestic authority in connection with a confidential investigation by the Commission; or
 (v)the person has agreed to provide the Commission with access to the information. (C)Obligations of the recipient (i)Acknowledgement of receipt of requestWithin 3 business days after a person receives a request made in accordance with subparagraph (A) or a subsequent communication from the Commission in relation to the request, the person shall acknowledge to the Commission that the recipient has received the request or communication.
 (ii)Response to requestWithin 10 business days after a person receives such a request or communication, the person shall respond to the request or communication in accordance with subparagraph (D).
 (iii)Retention of requested recordsA person who receives such a request shall retain all records identified in the request until the request or any subpoena for the records has been resolved.
 (D)Response options of the recipientA person who receives such a request shall— (i)agree to, and comply with, the request;
 (ii)request the Commission to provide additional information regarding the request; (iii)request the Commission modify any aspect of the request;
 (iv)seek a review of any aspect of the request by the Commission or a division director to whom the authority to conduct such a review has been delegated; or
 (v)refuse the request. (5)Establishment of rules for safeguarding information provided to the Commission (A)In generalThe Commission shall prescribe rules regarding—
 (i)the retention of information provided to the Commission under this Act, including— (I)the manner of retention;
 (II)the duration of retention, which shall ensure that information is retained for only so long as is necessary to carry out this Act or other Federal law; and
 (III)the process for the return or destruction of the information, as appropriate; and (ii)access to information provided to the Commission under this Act, including—
 (I)limitations on access to relevant, essential individuals; and (II)additional limitations on disclosure by the individuals, including after leaving a position at the Commission.
 (B)Incorporation of best practicesThe rules shall incorporate best practices regarding— (i)data collection;
 (ii)data access; (iii)data retention;
 (iv)physical security; and (v)information security and data protection, including cybersecurity.
 (6)Proprietary information definedIn this subsection, the term proprietary information means sensitive, non-public information of a person, including— (A)trading strategies;
 (B)analytical or research methodologies; (C)trading activity in asset classes and not subject to this Act;
 (D)physical and cyber vulnerabilities; and (E)computer hardware or software containing intellectual property..
			