Privacy Act of 1974; System of Records

Issuing agencies

Abstract

In accordance with the Privacy Act of 1974, the Commodity Futures Trading Commission (CFTC or Commission) is establishing a new Privacy Act system of records titled "CFTC-59, Insider Risk Program Records." This system of records contains information that the Commission collects, maintains, and uses to administer its Insider Risk program and to detect, deter, and mitigate risks to individuals, facilities, information, equipment, networks, and systems within the CFTC. This newly established system of records will be included in the CFTC's inventory of record systems.

Full Text

<html>
<head>
<title>Federal Register, Volume 91 Issue 87 (Wednesday, May 6, 2026)</title>
</head>
<body><pre>
[Federal Register Volume 91, Number 87 (Wednesday, May 6, 2026)]
[Notices]
[Pages 24525-24528]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2026-08978]


=======================================================================
-----------------------------------------------------------------------

COMMODITY FUTURES TRADING COMMISSION


Privacy Act of 1974; System of Records

AGENCY: Commodity Futures Trading Commission.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, the Commodity 
Futures Trading Commission (CFTC or Commission) is establishing a new 
Privacy Act system of records titled ``CFTC-59, Insider Risk Program 
Records.'' This system of records contains information that the 
Commission collects, maintains, and uses to administer its Insider Risk 
program and to detect, deter, and mitigate risks to individuals, 
facilities, information, equipment, networks, and systems within the 
CFTC. This newly established system of records will be included in the 
CFTC's inventory of record systems.

DATES: This system of records, including the routine uses, is effective 
June 15, 2026. Please submit comments on or before June 5, 2026.

ADDRESSES: You may submit comments, identified as pertaining to CFTC-59 
Insider Risk Program, by any of the following methods:
    <bullet> <a href="http://Regulations.gov">Regulations.gov</a>: Go to <a href="https://www.regulations.gov">https://www.regulations.gov</a> and 
press the ``Search'' button, then proceed as follows:
    1. Under Refine Documents Results--check the box to ``Only show 
documents open for comment'';
    2. Under Agency--select ``See More'' and check the box for 
``Commodity Futures Trading Commission,'' then press the Apply button;
    3. Identify this proposal in the list of CFTC documents open for 
comment, press the ``Comment'' button to open the submission form, and 
follow the instructions on the form.
    Alternatively, if you are viewing this proposal on 
<a href="http://www.federalregister.gov">www.federalregister.gov</a>, click the ``Submit A Public Comment'' button 
at the top of the page to open the comment form. Follow the 
instructions on the form to submit your comment to <a href="http://Regulations.gov">Regulations.gov</a>.
    <bullet> Mail: Send to--Christopher Kirkpatrick, Secretary of the 
Commission, Commodity Futures Trading Commission, Three Lafayette 
Centre, 1155 21st Street NW, Washington, DC 20581.
    <bullet> Hand Delivery/Courier: Address to--CFTC Comment 
Submission, Attn: Christopher Kirkpatrick, Secretary of the Commission, 
Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st 
Street NW, Washington, DC 20581.
    Please submit your comments using only one of these methods. To 
avoid possible delays with mail or in-person deliveries, submissions 
through <a href="http://Regulations.gov">Regulations.gov</a> are encouraged.
    All comments must be submitted in English or, if not, accompanied 
by an English translation. Do not include in your comment text or 
attachments any personal identifying information or business 
information that you do not want published online. Comments (regardless 
of submission method) will be published without review for, and without 
removal of, any personal identifying information or information your 
business may consider confidential.
    If you wish to submit confidential information for the Commission's 
consideration, please contact the CFTC personnel listed in this Notice 
under FOR FURTHER INFORMATION CONTACT before making any submission. 
Please also carefully review the Commission's procedures in 17 CFR 
145.9 for requesting confidential treatment under the Freedom of 
Information Act (FOIA) of information submitted to the Commission.
    The CFTC reserves the right, but shall have no obligation, to 
review, pre-screen, filter, or redact all or any part of your comment 
submission. The CFTC also reserves the right, without further 
notification, to refuse to publish or to remove from public view all or 
any part of your submission to the extent it contains content 
inappropriate for publication in a comment file, such as--without 
limitation--obscene language, threats of violence, solicitations for 
commercial sales or illegal activity, or obvious spam. If a submission 
that is refused for or withdrawn from publication because of 
inappropriate content also contains comments on the merits of this 
proposal, such submission will be retained in the record for the matter 
and will be considered as required under the Administrative Procedure 
Act and other applicable laws, and may be accessible under the FOIA.

[[Page 24526]]


FOR FURTHER INFORMATION CONTACT: Kellie Cosgrove Riley, Chief Privacy 
Officer, <a href="/cdn-cgi/l/email-protection#1c6c6e756a7d7f655c7f7a687f327b736a"><span class="__cf_email__" data-cfemail="2656544f5047455f664540524508414950">[email&#160;protected]</span></a>, (202) 418-5610, Office of the General 
Counsel, Commodity Futures Trading Commission, Three Lafayette Centre, 
1155 21st Street NW, Washington, DC 20581.

SUPPLEMENTARY INFORMATION: In accordance with the Privacy Act of 1974, 
5 U.S.C. 552a, the Commodity Futures Trading Commission (CFTC or 
Commission) is establishing a new system of records titled ``CFTC-59, 
Insider Risk Program Records.'' The Commission recently established an 
Insider Risk Program responsible for detecting insider risks; 
preventing insider risks by establishing a secure operating environment 
that protects individuals, facilities, information, equipment, 
networks, and information systems; responding to insider risks; and 
implementing response measures. An Insider is any person who has or had 
authorized access to or knowledge of the CFTC's resources, including 
employees, facilities, information, equipment, networks, and systems. 
An Insider Risk is a risk that an insider will use their authorized 
access, wittingly or unwittingly, to harm the security of 
organizational operations and assets, individuals, other organizations, 
or the Nation. This risk or threat can include damage through 
espionage, terrorism, unauthorized disclosure, or through the loss or 
degradation of organizational resources or capabilities. An Insider 
Risk may be identified through examination of network activity or other 
logs that reveal an individual's access to information the individual 
does not have a need-to-know; access to physical spaces or the network 
at hours outside of normal work habits/hours; out-of-the-ordinary 
downloading, printing, or emailing of large volumes of materials; or 
other identified anomalies in an individual's workplace behavior.
    The Commission's Insider Risk Program is made up of an Insider Risk 
Response Team within the CFTC's Cyber and Physical Security Branch and 
an Insider Risk Working Group, which includes representatives from a 
small number of CFTC stakeholder offices, that reviews and approves the 
activities of the Insider Risk Response Team. The Insider Risk Program 
collects information about individuals who pose a potential or actual 
Insider Risk in the course of investigating and mitigating that risk. 
This includes information from a variety of sources, including via the 
use of network monitoring tools, from CFTC employees who report 
suspected or potential insider risk activity, and from various records 
maintained by the Commission or by others, such as personnel records, 
incident reports, disciplinary records, access and print logs, and 
physical security records. The Insider Risk Program records are 
generally not intended to be disclosed outside of the Commission and, 
therefore, the routine uses in the SORN are limited to those instances 
where disclosure is necessary for, e.g., litigation, law enforcement, 
breach response, obtaining information relevant to an insider risk 
investigation, and to meet audit and records requirements.
    This newly established system of records will be included in CFTC's 
inventory of record systems. In accordance with 5 U.S.C. 552a(r), the 
CFTC has provided a report of this system of records to the Office of 
Management and Budget and to Congress. In addition, the CFTC is issuing 
a Notice of Proposed Rulemaking to exempt this system of records from 
certain provisions of the Privacy Act elsewhere in the Federal 
Register.
SYSTEM NAME AND NUMBER:
    Insider Risk Program Records, CFTC-59.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The Cyber Security Section, Cyber and Physical Security Branch, 
Division of Administration in the CFTC office at Three Lafayette 
Centre, 1155 21st Street NW, Washington, DC, is responsible for the 
collection and maintenance of the records in this system of records.

SYSTEM MANAGER(S):
    Deputy Chief Information Security Officer, Cybersecurity Section, 
Cyber and Physical Security Branch, Commodity Futures Trading 
Commission, Three Lafayette Centre, 1155 21st Street NW, Washington, DC 
20581.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Authority for the maintenance of this system of records is derived 
from Executive Order 13587, Structural Reforms to Improve the Security 
of Classified Networks and the Responsible Sharing and Safeguarding of 
Classified Information, from 15 U.S.C 278g-3, Computer standards 
program, and from threat- and risk-related procedural requirements 
indicated in National Institute of Standards and Technology Special 
Publication 800-53, Rev. 5, Security and Privacy Controls for 
Information Systems and Organizations.

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system of records is to detect, deter, and 
mitigate insider risks and to protect individuals, facilities, 
information, equipment, networks, and systems from insider risks. The 
records in this system of records will be used to manage insider risk 
inquiries and complaints; identify and track potential insider risks to 
the CFTC; manage referrals of potential insider risks to and from 
external partners; facilitate the creation of statistical reports and 
meet any insider risk reporting requirements; and support the 
identification of systemic insider risk issues and challenges to 
develop solutions for detecting, deterring, and mitigating those 
challenges.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    CFTC employees, contractors, and any other individuals who have or 
had been granted access to CFTC facilities and networks.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records in this system of records include all information 
collected in the context of investigating a potential or actual insider 
risk. That information may include:
    <bullet> Name, including alias(es) and former names.
    <bullet> Physical mailing addresses.
    <bullet> Email addresses.
    <bullet> Phone numbers.
    <bullet> Sex.
    <bullet> Height and weight.
    <bullet> Hair and eye color.
    <bullet> Biometric data (e.g., fingerprints, iris scans).
    <bullet> Other distinguishing physical attributes.
    <bullet> Race, national origin, and ethnicity.
    <bullet> Citizenship.
    <bullet> Date and place of birth.
    <bullet> Social Security number.
    <bullet> Driver license number(s).
    <bullet> Vehicle Identification Number(s).
    <bullet> License plate number(s).
    <bullet> Passport number(s).
    <bullet> Personal Identity Verification (PIV) information.
    <bullet> Other unique identifiers.
    <bullet> Education history.
    <bullet> Work history.
    <bullet> Performance information and evaluations.
    <bullet> Background investigation reports and supporting 
documentation.
    <bullet> Briefing and debriefing statements for special programs 
and sensitive positions.
    <bullet> Courier authorization requests.
    <bullet> Current and former clearance status(s).
    <bullet> Document control registries.

[[Page 24527]]

    <bullet> Facility access records.
    <bullet> CCTV footage.
    <bullet> Nondisclosure agreements.
    <bullet> Records reflecting personal and official foreign travel.
    <bullet> Requests for access to proprietary, sensitive, or 
Controlled Unclassified Information (CUI).
    <bullet> Time and attendance information.
    <bullet> Drug test results.
    <bullet> Incident reports.
    <bullet> Individuals' statements or affidavits and correspondence.
    <bullet> Investigative records of a criminal, civil, or 
administrative nature.
    <bullet> Letters, emails, memoranda, and reports.
    <bullet> Records obtained from the Intelligence Community, law 
enforcement partners, or from other agencies or organizations as 
collaborators.
    <bullet> User Activity Monitoring records.
    <bullet> Financial records obtained from Financial Crimes 
Enforcement Network.

RECORD SOURCE CATEGORIES:
    Records in this system of records are obtained from a variety of 
sources, to include software that monitors users' activity on the CFTC 
computer network; individuals or their employers; CFTC offices and 
divisions; public open-source platforms; and other federal, state, or 
local government or private sector entities. Records in this system of 
records may also be obtained from individuals who report insider risks 
to the Insider Risk Program.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside of the 
Commission as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    a. To the Department of Justice when:
    (i) the Commission, or any component thereof; or
    (ii) any employee of the Commission in their official capacity; or
    (iii) any employee of the Commission in their individual capacity 
where the Department of Justice has agreed to represent the employee; 
or
    (iv) the United States, where the Commission determines that 
litigation is likely to affect the Commission or any of its components,
    is a party to litigation or has an interest in such litigation, and 
the use of such records by the Department of Justice is deemed by the 
Commission to be relevant and necessary to the litigation.
    b. In a proceeding before a court or adjudicative body before which 
the Commission is authorized to appear, during a proceeding before that 
court or adjudicative body, when:
    (i) the Commission, or any component thereof; or
    (ii) any employee of the Commission in his or her official 
capacity; or
    (iii) any employee of the Commission in his or her individual 
capacity where the Commission has agreed to represent the employee; or
    (iv) the United States, where the Commission determines that 
litigation is likely to affect the Commission or any of its components,
    is a party to litigation or has an interest in such litigation, and 
the Commission determines that use of such records is relevant and 
necessary to the litigation.
    c. To the appropriate federal, state, local, territorial, tribal, 
or foreign law enforcement authority or other appropriate entity, when 
a record, either alone or in conjunction with other information, 
indicates a violation or potential violation of law--whether criminal, 
civil, or regulatory in nature--and the authority or entity to whom the 
record is disclosed is charged with the responsibility for 
investigating or prosecuting such violation or is charged with 
enforcing or implementing such law.
    d. To the National Archives and Records Administration (NARA) for 
records management inspections being conducted under the authority of 
44 U.S.C. 2904 and 2906.
    e. To contractors, grantees, experts, consultants, or volunteers 
performing or working on a contract, service, grant, cooperative 
agreement, or other assignment for the Commission when necessary to 
accomplish a Commission function related to this system of records.
    f. To a member of Congress from the record of an individual in 
response to an inquiry made at the request of the individual to whom 
the record pertains, but only to the extent that the record would be 
legally accessible to that individual.
    g. To appropriate agencies, entities, and persons when (1) the 
Commission suspects or has confirmed that there has been a breach of 
the system of records, (2) the Commission has determined that as a 
result of the suspected or confirmed breach there is a risk of harm to 
individuals, the Commission (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, and 
persons is reasonably necessary to assist in connection with the 
Commission's efforts to respond to the suspected or confirmed breach or 
to prevent, minimize, or remedy such harm.
    h. To another Federal agency or Federal entity, when the Commission 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (1) responding to 
a suspected or confirmed breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.
    i. To any third party when the Commission determines that the third 
party has or potentially has relevant information about the subject of 
an insider risk investigation, but only those records necessary to 
identify the individual and obtain information pertinent to the 
investigation.
    j. To the National Insider Threat Task Force (NITF) for the purpose 
of conducting an audit of the Insider Risk Program pursuant to 
Executive Order 13587, Sections 6.3(f) and 7(d), but only to the extent 
necessary to meet the parameters of the audit.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The records in this system are maintained electronically or on 
paper in secure facilities and available only to those with a business 
need to know. Electronic records are stored on the Commission's secure 
network and access is controlled via role-based permissions.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    The records in this system are retrieved by an individual's name or 
associated case file number, email address, computer assigned 
identification number, business affiliation, event name, or other 
personal identifier.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    The records in this system are maintained and disposed of in 
accordance with the National Archives and Records Administration (NARA) 
General Records Schedule GRS 5.6 Security Management Records. 
Specifically, items 210 Insider threat administrative and operations 
records, 220 Insider threat inquiry records, and 230 Insider threat 
information. All electronic records, files, and data are destroyed 
either by physical destruction of the electronic storage media or by

[[Page 24528]]

erasure of the data. Any paper records are disposed of by shredding.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Records are protected from unauthorized access and improper use and 
disclosure through administrative, technical, and physical security 
measures employed by the CFTC. Administrative safeguards include 
maintenance of written policies, standards, and procedures reinforced 
by training and periodic auditing. Technical security safeguards 
include restrictions on computer access to authorized individuals who 
have a legitimate need to know the information, required use of strong 
passwords that are frequently changed, multi-factor authentication for 
remote access and access to many network components, use of encryption 
for certain data types and transfers, and firewalls and intrusion 
detection applications. Physical safeguards include restrictions on 
building access to authorized individuals, use of security guard 
services, and video surveillance.

RECORD ACCESS PROCEDURES:
    The Commission has exempted this system of records from the access 
provisions of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2) and 
subject to the limitations and requirements therein. However, the 
Commission will consider individual requests for access and determine 
on a case-by-case basis whether the records may be released. 
Individuals seeking access to records about themselves in this system 
should address written inquiries to the Office of the General Counsel, 
Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st 
Street NW, Washington, DC 20581. See 17 CFR 146.3 for full details on 
what to include in a Privacy Act access request.

CONTESTING RECORD PROCEDURES:
    The Commission has exempted this system of records from the 
notification, access, and amendment provisions of the Privacy Act 
pursuant to 5 U.S.C. 552a(k)(2) and subject to the limitations and 
requirements therein. Individuals contesting the content of records 
about themselves contained in this system should address written 
inquiries to the Office of the General Counsel, Commodity Futures 
Trading Commission, Three Lafayette Centre, 1155 21st Street NW, 
Washington, DC 20581. See 17 CFR 146.8 for full details on what to 
include in a Privacy Act amendment request. The Commission will 
determine on a case-by-case basis whether to accept such a request.

NOTIFICATION PROCEDURES:
    The Commission has exempted this system of records from the 
notification, access, and amendment provisions of the Privacy Act 
pursuant to 5 U.S.C. 552a(k)(2) and subject to the limitations and 
requirements therein. However, the Commission will consider individual 
requests for notification and determine on a case-by-case basis whether 
to provide the requested notification. Individuals seeking notification 
of any records pertaining to themselves contained in this system should 
address written inquiries to the Office of the General Counsel, 
Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st 
Street NW, Washington, DC 20581. See 17 CFR 146.3 for full details on 
what to include in a Privacy Act notification request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    The Commission, pursuant to 5 U.S.C. 552a(k)(2) and subject to the 
limitations and requirements set forth therein, has exempted this 
system of records from the following provisions of the Privacy Act: 
(c)(3); (d); (e)(1); (e)(4)(G), (H), and (I); and (f). To the extent a 
record contains information from other systems of records to which 
additional exemptions apply, the Commission will also recognize and 
apply those exemptions.

HISTORY:
    None.

    Issued in Washington, DC, on May 4, 2026, by the Commission.
Robert Sidman,
Deputy Secretary of the Commission.
[FR Doc. 2026-08978 Filed 5-5-26; 8:45 am]
BILLING CODE 6351-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>