DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to the application filed on 01/26/2021. Claims 1, 12, 15, and 18 are amended. Claims 1-20 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
Terminal Disclaimer

The terminal disclaimer filed on 01/26/2021 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of U.S. Patent application No. 8707445, 8763133, 9483650, 9781147 have been reviewed and is accepted.  The terminal disclaimer has been recorded.
Allowable Subject Matter
Claims 1-20 are allowed.
The following is an examiner’s statement of reasons for allowance:
The present invention is relates to Systems and methods for managing a multi-region data incident are provided herein. Example methods include receiving, via a risk assessment server, in response to an occurrence of the data incident, data incident data that including information corresponding to the data incident, wherein the data incident has a plurality of facets with each facet having any of unique and overlapping set of privacy data and media type and associated 
Regarding claim 1 , although the prior art of record teaches receiving, via a risk assessment server, in response to an occurrence of the data incident, data incident data that comprises information corresponding to the data incident, the data incident further comprising intentional or unintentional release of personally identifiable information to an untrusted environment; automatically generating, via the risk assessment server, a risk assessment from a comparison of the data incident data to privacy rules, the privacy rules comprising at least one federal rule each of the rules defining requirements associated with data incident notification laws; providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server; and wherein the receiving data incident data further comprises: providing, in response to a determination of at least one of the privacy rules, one or more questions to the display device that elicits information corresponding to the data incident, the one or more questions tailored to specific criteria of the at least one of the privacy rules; and receiving responses to the one or more questions.
None of the prior art, alone or in combination teaches further comprising generating a notification schedule when the comparison indicates that the data incident violates and triggers a notification obligation according to the at least one federal rule; and wherein the notification schedule comprises notification dates that are based upon a violated federal rule, along with notification requirements that describe information that is to be provided to a regulatory agency or to an affected individual whose personal data has been compromised, disclosed or released as a result of the data incident in view of the other limitations of claim 1.
Regarding claim 12 , although the prior art of record teaches receiving, via a risk assessment server, in response to an occurrence of the data incident, data incident data that comprises information corresponding to the data incident, the data incident further comprising intentional or unintentional release of personally identifiable information to an untrusted environment; automatically generating, via the risk assessment server, a risk assessment from a comparison of the data incident data to -4-9345USprivacy rules, the privacy rules comprising at least one federal rule each of the rules defining requirements associated with data incident notification laws; providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server.
None of the prior art, alone or in combination teaches further comprising generating a notification schedule when the comparison indicates that the data incident violates at least one of the at least one federal rule and when the comparison indicates that the data incident violates and triggers a notification obligation according to the at least one federal rule; and wherein the notification schedule comprises notification dates that are based upon a violated federal rule, along with notification requirements that describe information that is to be provided to a regulatory agency or to an affected individual whose personal data has been compromised, disclosed or released as a result of the data incident in view of the other limitations of claim 12.
Regarding claim 15 , although the prior art of record teaches receiving, via a risk assessment server, in response to an occurrence of the data incident, data incident data that comprises information corresponding to the data incident, the data incident further comprising intentional or unintentional release of personally identifiable information to an untrusted environment; automatically generating, via the risk assessment server, a risk assessment from a comparison of the data incident data to privacy rules, the privacy rules comprising: at least one federal rule; each of the rules defining requirements associated with data incident notification laws; and at least one contractual obligation defining contractual requirements of a breaching party due to the data incident, the breaching party being a party to the at least one contractual obligation; providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server.
None of the prior art, alone or in combination teaches generating a notification schedule when the comparison indicates that the data incident violates at least one of the at least one federal rule, the at least one contractual obligation, or combinations thereof and wherein the notification schedule comprises notification dates that are based upon a violated federal rule or a violated contractual rule, along with notification requirements that describe information that is to be provided to a regulatory agency or to an affected individual whose personal data has been compromised, disclosed or released as a result of the data incident in view of the other limitations of claim 15.
Regarding claim 18 , although the prior art of record teaches providing an external entity interface that receives: external entity information comprising: a contract between a first party and at least one additional party; notification obligations that specify when the first party or the at least one additional party notifies entities that a data incident has occurred; and properties that trigger an assessment of the notification obligations; receiving, via a risk assessment server, in response to an occurrence of the data incident, data incident data that comprises information corresponding to the data incident, the data incident further comprising intentional or unintentional release of personally identifiable information to an untrusted environment by the first party or the at least one additional party; comparing the data incident data to the properties that trigger an assessment; wherein if the properties indicate that an assessment is required, generating, via the risk assessment server, a risk assessment from a comparison of the data incident data to privacy rules, the privacy rules comprising: at least one federal rule; each of the rules defining requirements associated with data incident notification laws; and the contract; providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server; generating a risk assessment guidance interface when the comparison indicates that the data incident violates at least one of the at least one federal rule, the contract, or combinations thereof; and wherein the risk assessment guidance interface comprises an impact summary that indicates which federal rule was violated and one or more external entities implicated or -7-9345USimpacted in the data incident.
None of the prior art, alone or in combination teaches further comprising generating a notification schedule when the comparison indicates that the data incident violates and triggers a notification obligation according to the at least one federal rule or a contractual rule; and wherein the notification schedule comprises notification dates that are based upon a violated federal rule or a contractual rule, along with notification requirements that describe information that is to be provided to a regulatory agency or to an affected individual whose personal data has been compromised, disclosed or released as a result of the data incident in view of the other limitations of claim 18.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207.  The examiner can normally be reached on Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SHAHRIAR ZARRINEH/Examiner, Art Unit 2497