On Friday, July 12, 2019, the CFTC finished updating its data catalogue, completing the first of five steps under its Data Protection Initiative.

According to a statement issued by CFTC Commissioner Dawn Stump, the initiative was introduced to improve the CFTC's approach to protection of the data it receives. With step one complete, the CFTC will now consider the use-case for collecting each data set by comparing the sensitivity of the information to its regulatory value. If the CFTC determines that there is a "demonstrable use-case" for collecting a particular data set, the agency will then:

  1. review the data collection process and consider alternative modes of access for sensitive data;

  2. evaluate security safeguards and internal controls, storage procedures, encryption formatting, permission access and usage tracking;

  3. examine agency response to a security breach; and

  4. assess how the agency stores sensitive data and update data destruction policies, as necessary.

Commentary

The CFTC's Data Protection Initiative is of interest for a couple of reasons. First, as regulated firms are required to provide regulators with a substantial amount of confidential proprietary and customer data, it is reassuring to see regulators take their responsibilities as repositories of that data seriously. The CFTC has been moving forward with its Data Protection Initiative under the leadership of Commissioner Stump since she first announced the initiative in March 2019. In November 2019, Commissioner Stump recommended steps to "streamline" the collection of data by the CFTC, and in January 2020, the CFTC became the first federal agency to adopt the National Institute of Standards and Technology ("NIST") Privacy Framework.

Second, the questions the CFTC asked itself as part of its Data Protection Initiative may assist firms in addressing their own approach to data protection. Based on Commissioner Stump's approach to formulating a "Pathway to Improve Agency Policies & Procedures," firms may wish to consider the following questions:

  • Scope of Data Collection: Has the firm created a data inventory addressing the "who, what, where and when" of data collection?

  • Access to Data: How is data received? How frequently is data received? What are the different methods through which data may be accessed?

  • Security: What safeguards and internal controls does the firm implement for storing data, including storage procedures, encryption and permissioned access?

  • Data Retention: How does the firm retain data, and for how long?

  • Disposal: How does the firm dispose of data?

  • Incident Response: What measures has the firm adopted to address data breaches?

  • Review, monitor and update: Does the firm systematically review and update its data protection procedures?

Regulated entities are subject to extensive regulatory requirements governing data. Thinking about the data lifecycle, and questions to ask at each stage of the cycle, may assist firms in formulating procedures to comply with those requirements.