DETAILED ACTION

Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 1/21/2021 has been entered.

Response to Arguments

Applicant's arguments filed 1/21/2021 have been fully considered but they are not persuasive.
As to Applicant’s argument that, “Hirsh fails to disclose or suggest determining whether such code includes any indication of a particular security certification and, more particularly, does not disclose or suggest determining that such code does not include In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Therefore, the rejection is maintained.
As to Applicant’s argument that, “Savant does not disclose or suggest determining that computer code for a webpage does not include any indication of a particular security certification and, in response to that determination, setting a weighting factor for a security certification risk factor for a vendor based on the fact that the analyzed computer code does not include any indication of the particular security certification” (Remarks, p. 15), the Examiner respectfully disagrees. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Therefore, the rejection is maintained.
The balance of arguments are directed to the newly amended limitations and are addressed below.

Response to Amendment

Claims 1, 3, 8, 13-15, 19, and 21 have been amended.
Claims 1-21 are pending.

Information Disclosure Statement

The IDS filed 1/21/2021 has been considered by the Examiner.

Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-3, 5, 6, 8-11, and 13-21 are rejected under 35 U.S.C. 103 as being unpatentable over US PG Pub. No. 2014/0278730 to Muhart et al. (hereinafter Muhart) in view of US Patent No. 8,788,935 to Hirsch et al. (hereinafter Hirsch) in view of US Patent No. 8,646,072 to Savant.  

As to claims 1, 15, and 21, Muhart teaches:

b.	Receiving, by one or more computer processors, one or more pieces of vendor assessment information associated with the particular vendor (selected vendor data gathered and delivered to requesting user) (Muhart, [0049]).
Muhart does not expressly mention obtaining pieces of computer code associated with associated with the particular vendor. However, in an analogous art, Hirsch teaches:
c.	Obtaining, by one or more computer processors, based at least in part on the one or more pieces of vendor information associated with the particular vendor, one or more pieces of computer code associated with a particular webpage associated with the particular vendor (webpage code is analyzed) (Hirsch, 4:43-5:24).
Therefore, one of ordinary skill in the art would have been motivated at the time the invention was made to implement the vendor risk assessment scheme of Muhart with the webpage code analyses of Hirsch in order to detect particular features of the webpage as suggested by Hirsch (Hirsch, 13:53-67).
Muhart as modified further teaches:
d.	Analyzing, by one or more computer processors, the one or more pieces of computer code to identify one or more pieces of publicly available privacy-related information associated with the particular vendor (accessing legal and financial information of vendors to assess privacy risk) (Hirsch, 4:43-5:24 and Muhart, [0060]). While Muhart does not explicitly recite the information is “publicly 
Muhart as modified uses certifying authorities in assessing vendor risk (HIPAA, p. 11, table IV), but does not expressly mention an actual certification. However, in an analogous art, Savant teaches: 
e.	Analyzing, by one or more computer processors, the one or more pieces of computer code, to determine whether the one or more pieces of computer code comprise an indication of a particular security certification (determining whether a trusted seal (security certificate) is legitimate) (Savant, 2:63-3:12).
Therefore, one of ordinary skill in the art would have been motivated at the time the invention was made to implement the vendor risk assessment scheme of Muhart as modified with the determination of the legitimacy of a seal displayed on a webpage of Savant in order to better protect users from malicious intent as suggested by Savant (Savant, 1:5-10).
Muhart as modified further teaches:
f.	At least partially in response to determining that the one or more pieces of computer code do not comprise an indication of the particular security certification, assigning, by one or more computer processors, a particular security certification weighting factor is based at least in part on determining that the one or more pieces of computer code do not comprise the indication of the particular security certification (each element of the risk score receives a weighting factor) (Muhart, [0090-0093]).

g.	Determining, by one or more computer processors:
i. 	A respective weighting factor for each of the one or more pieces of vendor information associated with the particular vendor (weights are determined based on the various factors including industry, conflicts of interest, source of information…) (Muhart, [0090-0093]).
ii. 	A respective weighting factor for each of the one or more pieces of vendor assessment information associated with the particular vendor (weights are determined based on the various factors including industry, conflicts of interest, source of information…) (Muhart, [0090-0093]).
iii. 	A respective weighting factor for each of the one or more pieces of publicly available privacy-related information associated with the particular vendor (weights are determined based on the various factors including industry, conflicts of interest, source of information…) (Muhart, [0090-0093]).
h.	Calculating, by one or more computer processors, a privacy risk score (calculating risk from gathered data) (Muhart, [0031]), based at least in part on: 
i. 	The one or more pieces of vendor information associated with the particular vendor (calculating risk from gathered data) (Muhart, [0031]).
ii. 	The respective weighting factor for each of the one or more pieces of vendor information associated with the particular vendor (weights are determined based on the various factors including industry, conflicts of interest, source of information…) (Muhart, [0090-0093]).

iv.	The respective weighting factor for each of the one or more pieces of vendor assessment information associated with the particular vendor (weights are determined based on the various factors including industry, conflicts of interest, source of information…) (Muhart, [0090-0093]).
v.	The one or more pieces of publicly available privacy-related information associated with the particular vendor (calculating risk from gathered data) (Muhart, [0031]).
vi.	The respective weighting factor for each of the one or more pieces of publicly available privacy-related information associated with the particular vendor (weights are determined based on the various factors including industry, conflicts of interest, source of information…) (Muhart, [0090-0093]).
vii.	The security certification risk factor associated with the particular vendor (weights are determined based on the various factors including industry, conflicts of interest, source of information…) (Muhart, [0090-0093]).
viii.	The particular security certification weighting factor for the security certification risk factor associated with the particular vendor (weights are determined based on the various factors including industry, conflicts of interest, source of information…) (Muhart, [0090-0093]).


As to claim 2, Muhart as modified teaches:
a.	The one or more pieces of computer code comprise hypertext markup language (HTML) code (webpage code is analyzed including HTML) (Hirsch, 4:43-5:24).
b.	Analyzing the one or more pieces of computer code comprises analyzing the HTML code (webpage code is analyzed including HTML) (Hirsch, 4:43-5:24).

As to claim 3, Muhart as modified teaches particular security certifications is associated with ISO (ISO certification evaluated and checked for compliance) (Muhart, [0076]). 

As to claim 5, Muhart as modified teaches the particular webpage is operated by the particular vendor (information is gathered from across the internet) (Muhart, [0056]). Muhart does not explicitly recite the webpage is operated by the particular vendor. However, the website is operated by the particular vendor or the website is operated by a third-party. It is obvious to one of ordinary skill that it would be prudent to check not only third-party operated websites, but also to check the website(s) operated by the 

As to claim 6, Muhart as modified teaches the particular webpage is operated by a third-party that is not the particular vendor (information is gathered from across the internet) (Muhart, [0056]).

As to claim 8, Muhart teaches:
a. 	Retrieving, from a vendor information database, one or more pieces of vendor information associated with the particular vendor (selected vendor data gathered and delivered to requesting user) (Muhart, [0049]).
b.	Retrieving, from the vendor information database, one or more pieces of vendor assessment information associated with the particular vendor (selected vendor data gathered and delivered to requesting user) (Muhart, [0049]).
Muhart does not expressly mention obtaining pieces of computer code associated with associated with the particular vendor. However, in an analogous art, Hirsch teaches:
c.	Obtaining, based at least in part on the one or more pieces of vendor information associated with the particular vendor, one or more pieces of computer code associated with a particular webpage associated with the particular vendor (webpage code is analyzed) (Hirsch, 4:43-5:24).
Therefore, one of ordinary skill in the art would have been motivated at the time the invention was made to implement the vendor risk assessment scheme of Muhart 
Muhart as modified further teaches:
d.	Analyzing the one or more pieces of computer code to identify vendor one or more pieces of publicly available privacy-related information associated with the particular vendor (accessing legal and financial information of vendors to assess privacy risk) (Muhart, [0060]).
While Muhart does not explicitly recite the information is “publicly available”, it is obvious to one of ordinary skill in the art that some legal and financial information is a matter of public record, such as bankruptcy, convictions, title deeds, and the like.
Muhart as modified uses certifying authorities in assessing vendor risk (HIPAA, p. 11, table IV), but does not expressly mention an actual certification. However, in an analogous art, Savant teaches:
e.	Analyzing the one or more pieces of computer code to determine whether the one or more pieces of computer code comprise an indication of a particular security certification (determining whether a trusted seal (security certificate) is legitimate) (Savant, 2:63-3:12).
Therefore, one of ordinary skill in the art would have been motivated at the time the invention was made to implement the vendor risk assessment scheme of Muhart as modified with the determination of the legitimacy of a seal displayed on a webpage of Savant in order to better protect users from malicious intent as suggested by Savant (Savant, 1:5-10).
Muhart as modified further teaches:

f.	Analyzing the one or more pieces of computer code to determine whether the one or more pieces of computer code comprise an indication of a particular security certification (determining whether a trusted seal (security certificate) is legitimate) (Savant, 2:63-3:12).
g.	At least partially in response to determining that the one or more pieces of computer code do not comprise an indication of the particular security certification, assigning, by one or more computer processors, a particular security certification weighting factor to a security certification risk factor associated with the particular vendor, wherein the particular security certification weighting factor is based at least in part on determining that the one or more pieces of computer code do not comprise the indication of the particular security certification (each element of the risk score receives a weighting factor) (Muhart, [0090-0093]).
h.	Determining whether each of the one or more pieces of vendor information associated with the particular vendor, the one or more pieces of vendor assessment information associated with the particular vendor, and the one or more pieces of publicly available privacy-related information associated with the particular vendor is currently valid (validation and verification procedures for vetting of information of the vendor) (Muhart, [0042, 0053, 0056, and 0061]).
i. 	If each of the one or more pieces of vendor information associated with the particular vendor, the one or more pieces of vendor assessment information associated with the particular vendor, and the one or more pieces of publicly available privacy-related information associated with the particular vendor is 
j.	Presenting, on a graphical user interface, the privacy risk score for the particular vendor (exemplary screenshot of risk table with risk score and subsets of various other information) (Muhart, [0104] and figs. 16A and 16B). 
k.	If any of the one or more pieces of vendor information associated with the particular vendor, the one or more pieces of vendor assessment information associated with the particular vendor, or the one or more pieces of publicly available privacy-related information associated with the particular vendor, or each of the one or more security certifications is not currently valid: requesting updated information corresponding to each of the one or more pieces of vendor information associated with the particular vendor, the one or more pieces of vendor assessment information associated with the particular vendor, and the one or more pieces of publicly available privacy-related information associated with the particular vendor is not currently valid (as vendor information changes (goes out of validation)), the system sends an email to gather information to update the information and recalculate the scores) (Muhart, [0033, 0082, and 0088]).



As to claim 10, Muhart as modified teaches the one or more pieces of publicly available privacy-related information associated with the particular vendor comprises one or more privacy-related employee positions associated with the particular vendor (physicians for example) (Muhart, [0029]).

As to claim 11, Muhart as modified teaches one or more privacy-related events attended by one or more representatives of the particular vendor (employee records are kept up to date, it is obvious that this would include at least any commendations, education level, and educational upkeep to maintain certifications) (Muhart, [0036]). 

As to claims 13 and 19, Muhart as modified teaches determining whether a respective expiration date associated with each of the one or more pieces of vendor information associated with the particular vendor, the one or more pieces of vendor assessment information associated with the particular vendor, and the one or more pieces of publicly available privacy-related information associated with the particular vendor has passed (as vendor information changes (goes out of validation or does not), 

As to claim 14, Muhart as modified teaches requesting updated information corresponding to any of the one or more pieces of vendor information associated with the particular vendor, the one or more pieces of vendor assessment information associated with the particular vendor, and the one or more pieces of publicly available privacy related information associated with the particular vendor is not currently valid comprises generating and transmitting an assessment to the particular vendor (updating and recalculating risk score) (Muhart, [0033, 0082, and 0088]). 

As to claim 16, Muhart as modified teaches the one or more pieces of publicly available privacy-related information associated with the particular vendor comprises an indication of a contract between the particular vendor and a government entity (information gathered includes whether a federal contract is involved with the vendor) (Muhart, [0043]).

As to claim 18, Muhart as modified teaches the one or more pieces of publicly available privacy-related information associated with the particular vendor comprises one or more privacy control centers configured on the one or more webpages associated with the particular webpage (web services of the invention) (Muhart, fig. 6 and associated text).

. 

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over US PG Pub. No. 2014/0278730 to Muhart et al. (hereinafter Muhart) in view of US Patent No. 8,788,935 to Hirsch et al. (hereinafter Hirsch) in view of US Patent No. 8,646,072 to Savant as applied to claim 1 above, and further in view of US PG Pub. No. 2016/0140466 to Sidebottom et al. (hereinafter Sidebottom).

As to claim 4, Muhart as modified does not expressly mention using a social networking site as a source of information. However, in an analogous art, Sidebottom teaches the one or more pieces of publicly available privacy-related information associated with the particular vendor comprises one or more pieces of information associated with a social networking site (social media) (Sidebottom, [0041]). 
Therefore, one of ordinary skill in the art would have been motivated at the time the invention was made to implement the vendor risk assessment scheme of Muhart as modified with the use of social media in order provide additional data for risk assessment as suggested by Sidebottom (Sidebottom, [0041]).

Claim 7 and claim 12 are rejected under 35 U.S.C. 103 as being unpatentable over US PG Pub. No. 2014/0278730 to Muhart et al. (hereinafter Muhart) in view of US Patent No. 8,788,935 to Hirsch et al. (hereinafter Hirsch) in view of US Patent No. 8,646,072 to Savant as applied to claim 1 and claim 8 respectively above, and further in view of US Patent No. 9,055,071 to Gates et al. (hereinafter Gates).

As to claims 7 and 12, Muhart as modified does not expressly mention natural language processing. However, in an analogous art, Gates teaches:
a.	The one or more pieces of vendor information associated with the particular vendor comprises particular terms obtained from one or more documents (supporting documents) (Muhart, [0105]).
b.	Analyzing the one or more documents using one or more natural language processing techniques to identify the particular terms in the one or more documents (documents are analyzed with natural language processing) (Gates, 20:16-40).
Therefore, one of ordinary skill in the art would have been motivated at the time the invention was made to implement the vendor risk assessment scheme of Muhart as modified with the natural language processing of documents of Gates in order to determine the semantic meaning of terms in the document as suggested by Gates (Gates, 20:16-40).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM S POWERS whose telephone number is (571)272-8573.  The examiner can normally be reached on M-F 7:30-17:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on 571 270 3618.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/WILLIAM S POWERS/           Primary Examiner, Art Unit 2419