DETAILED ACTION

Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 1/21/2021 has been entered.
 
Response to Arguments

Applicant's arguments filed 1/21/2021 have been fully considered but they are not persuasive.
As to Applicant’s argument that, “Spoonamore fails to disclose or suggest receiving a security certification in response to a first privacy risk assessment questionnaire, determining that the security certification has expired, and automatically In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Details of how the newly added limitations are rejected are addressed below.

Response to Amendment

Claims 1, 8, 11-15 and 21 have been amended.
Claims 1-21 are pending.

Information Disclosure Statement

The IDS filed 1/21/2021 has been considered by the Examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:



Claims 1, 8, 15, and 21 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. It is not clear from the claim language or the specification how the invention compels the vendor to respond to a notification (assessment questionnaire) of the expiration of a security certification. It is up to the vendor to provide assessment data so that a risk score can be calculated. If the vendor does not respond with an updated security certification or any information relevant to a risk assessment calculation, it would result, presumably, in a higher risk score. The Examiner interprets the limitation concerning the response to the expiration of the security certification as a choice by the vendor. If the vendor responds with an updated security certification then the updated security certification is included in the updated risk score. If the vendor does not respond, which is a response nonetheless, then the updated risk score does not include the particular security certification as part of the updated risk score, probably resulting in a higher risk score.

Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over US PG Pub. No. 2014/0278730 to Muhart et al. (hereinafter Muhart) in view of US PG Pub. No. 2016/0140466 to Sidebottom et al. (hereinafter Sidebottom) in view of US Patent No. 9,055,071 to Gates et al. (hereinafter Gates) further in view of US PG Pub. No. 2008/0047016 to Spoonamore.

As to claim 1, Muhart teaches:a.	Receiving, by one or more computer processors, vendor information associated with a particular vendor (selected vendor data gathered and delivered to requesting user) (Muhart, [0049]).
Muhart gathers information from vendors, but does not expressly mention a questionnaire. However, in an analogous art, Sidebottom teaches:
b.	Generating, by one or more computer processors, a first privacy risk assessment questionnaire for the particular vendor (given questionnaire is generated to probe inherent risk in a vendor) (Sidebottom, [0064-0066]).
Therefore, one of ordinary skill in the art would have been motivated at the time the invention was made to implement the vendor risk assessment scheme of Muhart with the vendor questionnaire generation of Sidebottom in order to better evaluate vendor risk and quality of service as suggested by Sidebottom (Sidebottom, [0003]).
Muhart as modified further teaches:
c.	Transmitting, by one or more computer processors, the first privacy risk assessment questionnaire to the particular vendor (vendors complete questionnaire) (Sidebottom, [0065]).

Muhart as modified does not expressly mention using natural language processing. However, in an analogous art, Gates teaches:
e.	Analyzing, by one or more computer processors, the one or more documents using one or more natural language processing techniques to identify one or more particular terms in the one or more documents (using natural language processing techniques to analyze documents) (Gates, 20:16-40).
Therefore, one of ordinary skill in the art at the time the invention was made would have been motivated to implement the vendor risk assessment scheme of Muhart as modified with the natural language processing of Gates in order to infer the meaning of keywords in various documents as suggested by Gates (Gates, 20:16-40).
Muhart as modified further teaches:
f.	Associating, by one or more computer processors, the one or more particular terms in the one or more documents with the vendor assessment information associated with the particular vendor (using natural language processing techniques to analyze documents) (Muhart, at least [0037] and Gates, 20:16-40).

While Muhart does not explicitly recite the information is “publicly available”, it is obvious to one of ordinary skill in the art that some legal and financial information is a matter of public record, such as bankruptcy, convictions, title deeds, and the like.
h.	Determining, by one or more computer processors, an expiration date for at least one piece of the vendor assessment information (expiration date of a vendor’s credentialing data (vendor assessment information)) (Muhart, [0076]).
i.	Storing, by one or more computer processors in a computer memory, the expiration data for the at least one piece of the vendor assessment information (expiration date of a vendor’s credentialing data is part of the information used for assessing the vendor) (Muhart, [0076]).
j.	Associating, by one or more computer processors in the computer memory, the expiration data for the at least one piece of vendor assessment information (expiration date of a vendor’s credentialing data is part of the information used for assessing the vendor and part of vendor’s risk profile) (Muhart, [0076]).
Muhart as modified does not expressly mention a security certification with an expiration date. However, in an analogous art, Spoonamore teaches:
k.	Determining, by one or more processors, that the at least one piece of the vendor assessment information comprises a security certification (validating 
Therefore, one of ordinary skill in the art at the time the invention was made would have been motivated to implement the vendor risk assessment scheme of Muhart as modified with the security certification of Spoonamore in order to better manage risk as suggested by Spoonamore (Spoonamore, [0034]).
Muhart as modified further teaches:
l.	At least partially in response to determining that the at least one piece of vendor assessment information comprises the security certification, identifying, by one or more computer processors, a particular weighting factor for the at least one piece of vendor assessment information (weight factors for algorithm analyses) (Muhart, [0041]).
m.	Assigning, by one or more computer processors, the particular weighting factor to the at least one piece of the publicly available privacy-related information (weight factors for algorithm analyses) (Muhart, [0041]).
n.	Determining, by one or more computer processors, that the expiration date has occurred (vendors are notified when an expiration date has occurred or will occur) (Muhart, [0033]).
o.	At least partially in response to determining that the expiration date has occurred (vendors are notified when an expiration date has occurred or will occur) (Muhart, [0033]) substantially automatically:
i.	Generating, by one or more computer processors, a second privacy risk assessment questionnaire soliciting an updated security certification 
ii.	Transmitting, by one or more computer processors, the second privacy risk assessment questionnaire to the particular vendor (notification email (second privacy risk assessment questionnaire) is sent) (Muhart, [0033]).
iii.	Receiving, by one or more computer processors, from the particular vendor, one or more responses to the second privacy risk assessment questionnaire, wherein the one or more responses comprise the updated security certification (notification email (second privacy risk assessment questionnaire) is sent) (Muhart, [0033]). As noted above, there is no way to ensure that the vendor would respond with a security certification and that if there is no response from the vendor then the particular security certification is not used in risk calculation.
iv.	Updating, by one or more computer processors, the at least one piece of the vendor assessment information with the updated security certification (updating vendor information including risk scores and gathering the most current data) (Muhart, [0077-0078]).
p.	Calculating, by one or more computer processors, a risk score for the particular vendor based at least in part on the vendor information associated with the particular vendor, and the publicly available privacy-related information associated with the particular vendor, and the particular weighting factor for the 
q.	Determining, by one or more computer processors, additional privacy-related information associated with the particular vendor based at least in part on the vendor information associated with the particular vendor, the vendor assessment information associated with the particular vendor, and the publicly available privacy-related information associated with the particular vendor (additional information gathered) (Muhart, [0049]).
r.	Presenting, by one or more processors on a graphical user interface the risk score for the particular vendor, at least a subset of the vendor information associated with the particular vendor, and at least a subset of the additional privacy-related information associated with the particular vendor (exemplary screenshot of risk table with risk score and subsets of various other information) (Muhart, [0104] and figs. 16A and 16B).

As to claim 2, Muhart as modified teaches:
a.	Scanning one or more webpages associated with the particular vendor (information is gathered from across the internet) (Muhart, [0056]).
b.	Identifying one or more pieces of privacy-related information associated with the particular vendor (data from websites (e.g., FEIN lookup) is acquired and analyzed) (Muhart, [0056]). 



As to claim 4, Muhart as modified teaches the publicly available privacy-related information associated with the particular vendor comprises one or more webpages operated by the particular vendor (information is gathered from across the internet) (Muhart, [0056]). Muhart does not explicitly recite the webpage is operated by the particular vendor. However, the website is operated by the particular vendor or the website is operated by a third-party. It is obvious to one of ordinary skill that it would be prudent to check not only third-party operated websites, but also to check the website(s) operated by the particular vendor to check the veracity of any information on the particular vendor’s website.

As to claim 5, Muhart as modified teaches the publicly available privacy-related information associated with the particular vendor comprises one or more webpages operated by a third party (information is gathered from across the internet) (Muhart, [0056]).

As to claims 6 and 10, Muhart as modified teaches one or more of the one or more particular terms in the one or documents comprise one or more contract terms (documents, including contracts, are analyzed with natural language processing) (Muhart, [0057] and Gates, 20:16-40).

As to claim 7 , Muhart as modified teaches calculating the risk score for the particular vendor is further based at least in part on the particular terms in the one or more documents (calculating risk from gathered data) (Muhart, [0031] and Gates, 20:16-40).

As to claim 8, Muhart teaches:
a.	Detecting, on a first graphical user interface, a selection of user-selectable control associated with a particular vendor (user selects one or more vendors to compare) (Muhart, [0037 and 0039]).
Muhart gathers information from vendors, but does not expressly mention a questionnaire. However, in an analogous art, Sidebottom teaches:
b.	At least partially in response to detecting the selection of the user-selectable control associated with the particular vendor, generating a first privacy risk questionnaire (given questionnaire is generated to probe inherent risk in a vendor) (Sidebottom, [0064-0066]).
Therefore, one of ordinary skill in the art would have been motivated at the time the invention was made to implement the vendor risk assessment scheme of Muhart with the vendor questionnaire generation of Sidebottom in order to better evaluate vendor risk and quality of service as suggested by Sidebottom (Sidebottom, [0003]).
Muhart as modified further teaches:
c.	Transmitting the first privacy risk assessment questionnaire to the particular vendor (vendors complete questionnaire) (Sidebottom, [0065]).

Muhart as modified does not expressly mention using natural language processing. However, in an analogous art, Gates teaches:
e.	Analyzing the one or more documents using one or more natural language processing techniques to identify one or more particular terms in the one or more documents (using natural language processing techniques to analyze documents) (Gates, 20:16-40).
Therefore, one of ordinary skill in the art at the time the invention was made would have been motivated to implement the vendor risk assessment scheme of Muhart as modified with the natural language processing of Gates in order to infer the meaning of keywords in various documents as suggested by Gates (Gates, 20:16-40).
Muhart as modified further teaches:
f.	Storing the first privacy risk assessment questionnaire responses that the identified one or more particular terms in a vendor information database (Sidebottom, [0044]).
g.	Associating the first privacy risk assessment questionnaire responses and the identified one or more particular terms with vendor information associated with the particular vendor in the vendor information database (using natural language processing techniques to analyze documents) (Muhart, at least [0037] and Gates, 20:16-40).

i.	Obtaining, based at least in part on the vendor information associated with the particular vendor, publicly available privacy-related information associated with the particular vendor (accessing legal and financial information of vendors to assess privacy risk) (Muhart, [0060]).
While Muhart does not explicitly recite the information is “publicly available”, it is obvious to one of ordinary skill in the art that some legal and financial information is a matter of public record, such as bankruptcy, convictions, title deeds, and the like.
j. 	Determining an expiration date for at least one of the first privacy risk assessment questionnaire responses (vendors are notified when an expiration date has occurred or will occur) (Muhart, [0033]).
k.	Storing the expiration date for the at least one of the first privacy risk assessment questionnaire responses in the vendor information database (expiration date of a vendor’s credentialing data is part of the information used for assessing the vendor) (Muhart, [0076]).
Muhart as modified does not expressly mention a security certification with an expiration date. However, in an analogous art, Spoonamore teaches:
l.	Determining that at least one of the first privacy risk assessment questionnaire responses comprises a security certification (validating security certifications of vendors is part of analyzing the vendor) (Spoonamore, [78-86, 0103, 0167, and 227] and Table 1). 

Muhart as modified further teaches:
m.	At least partially in response to determining that the at least one of the privacy risk assessment questionnaire responses comprises the security certification, identifying a particular weighting factor for at least one of the first privacy risk assessment questionnaire responses (calculating risk from gathered data) (Muhart, [0041]).
n.	Assigning the particular weighting factor to the at least one of the first privacy risk questionnaire responses (calculating risk from gathered data) (Muhart, [0041]).
o.	Determining that the expiration date as occurred (vendors are notified when an expiration date has occurred or will occur) (Muhart, [0033]).
p. 	At least partially in response to determining that the expiration date has occurred (vendors are notified when an expiration date has occurred or will occur) (Muhart, [0033]). substantially automatically:
i.	Generating a second privacy risk assessment questionnaire soliciting an updated security certification (notification email (second privacy risk assessment questionnaire) is generated) (Muhart, [0033]).

iii.	Receiving, from the particular vendor, second privacy risk assessment questionnaire responses, wherein the second privacy risk assessment questionnaire responses comprise the updated security certification (notification email (second privacy risk assessment questionnaire) is sent) (Muhart, [0033]). As noted above, there is no way to ensure that the vendor would respond with a security certification and that if there is no response from the vendor then the particular security certification is not used in risk calculation.
iv.	Updating, in the vendor information database, the at least one of the first privacy risk questionnaire response with the updated security certification (updating vendor information including risk scores and gathering the most current data) (Muhart, [0077-0078]).
q.	Calculating, based at least in part on the vendor information associated with the particular vendor, the publicly available privacy-related information associated with the particular vendor, and the particular weighting factor for the at least one of the first privacy risk assessment questionnaire, a vendor risk score for the particular vendor, (calculating risk from gathered data) (Muhart, [0041]).
r.	Determining, based at least in part on the vendor information associated with the particular vendor and the publicly available privacy-related information 
s.	Storing, in the vendor information database, the vendor risk score for the particular vendor and the additional privacy-related information associated with the particular vendor (risk scores, among other data is stored and associated with the particular vendor so that they can be accessed at a later time) (Muhart, [0075]).
t.	Presenting, by one or more computer processors on a graphical user interface, the vendor risk score for the particular vendor and the additional privacy-related information associated with the particular vendor (exemplary screenshot of risk table with risk score and subsets of various other information) (Muhart, [0104] and figs. 16A and 16B).

	As to claim 9, Muhart as modified teaches:
	a.	Detecting a selection of a user-selectable control for adding a new vendor on a second graphical user interface (user selects another vendor) (Muhart, [0077]).
b.	At least partially in response to detecting the selection of the user-selectable control for adding the new vendor, presenting a third graphical user interface configured to receive vendor information associated with the new vendor (reviewing vendor data of multiple vendors at once) (Muhart, [0077]).

d.	At least partially in response to detecting submission of the vendor information associated with the particular vendor on the third user graphical interface, storing the vendor information associated with the particular vendor in the vendor information database (updating vendor information including risk scores and gathering the most current data) (Muhart, [0077-0078]).

As to claim 10, Muhart as modified teaches one or more of the one or more particular terms in the one or documents comprise one or more contract terms (documents, including contracts, are analyzed with natural language processing) (Muhart, [0057] and Gates, 20:16-40).

As to claim 11, Muhart as modified teaches determining the additional privacy-related information associated with the particular vendor further based, at least in part, on the first privacy risk assessment questionnaire responses (the responses of the vendor are additional information) (Sidebottom, [0065-0066]).

As to claim 12, Muhart as modified teaches calculating the vendor risk score for the particular vendor further based, at least in part, on the first privacy risk assessment questionnaire responses (calculating risk from responses) (Sidebottom, [0066]).


a.	Determining a second expiration date for the updated security certification (vendor account data or periodic economic data) (Muhart, [0076]), Sidebottom, [0060], and Spoonamore, [78-86, 0103, 0167, and 227] and Table 1).
b.	Storing the second expiration date for the updated security certification in the vendor information database (expiration date of a vendor’s credentialing data is part of the information used for assessing the vendor) (Muhart, [0076]).

As to claim 14, Muhart as modified teaches:
a.	The privacy risk assessment questionnaire response comprise one or more pieces of information associated with the particular vendor (service providers answer questions posed to them) (Sidebottom, [0065]).
b.	Determining a second expiration date for the one or more pieces of information associated with the particular vendor (vendors are notified when an expiration date has occurred or will occur) (Muhart, [0033]).
c.	Determining a second expiration date has occurred (Muhart, [0076]) (Sidebottom, [0060] and Spoonamore, [78-86, 0103, 0167, and 227] and Table 1).
d.	At least partially in response to determining that the second expiration date has occurred, obtaining second publicly available privacy-related information associated with the particular vendor and calculating a second vendor risk score for the particular vendor based, at least in part, on the second privacy risk assessment questionnaire responses (The scheme of Muhart as 

As to claims 15 and 21, Muhart teaches:
a.	Receiving, by one or more computer processors, vendor information associated with the particular vendor (selected vendor data gathered and delivered to requesting user) (Muhart, [0049]).
Muhart gathers information from vendors, but does not expressly mention a questionnaire. However, in an analogous art, Sidebottom teaches:
b. 	Generating, by one or more computer processors, a first privacy risk assessment questionnaire for the particular vendor (given questionnaire is generated to probe inherent risk in a vendor) (Sidebottom, [0064-0066]).
Therefore, one of ordinary skill in the art would have been motivated at the time the invention was made to implement the vendor risk assessment scheme of Muhart with the vendor questionnaire generation of Sidebottom in order to better evaluate vendor risk and quality of service as suggested by Sidebottom (Sidebottom, [0003]).
Muhart as modified further teaches:
c.	Transmitting, by one or more computer processors, the first privacy risk assessment questionnaire to the particular vendor (vendors complete questionnaire) (Sidebottom, [0065]).

e.	Associating, by one or more computer processors, the vendor assessment information with the vendor information associated with the particular vendor (inherent risk score are saved and used in various charts, reports, and scorecards according to each vendor) (Sidebottom, [0053, 0054, and 0060]).
Muhart as modified does not expressly mention using natural language processing. However, in an analogous art, Gates teaches:
f.	Analyzing, by one or more computer processors, the one or more documents using one or more natural language processing techniques to identify one or more particular terms in the one or more documents (using natural language processing techniques to analyze documents) (Gates, 20:16-40).
Therefore, one of ordinary skill in the art at the time the invention was made would have been motivated to implement the vendor risk assessment scheme of Muhart as modified with the natural language processing of Gates in order to infer the meaning of keywords in various documents as suggested by Gates (Gates, 20:16-40).
Muhart as modified further teaches:
g.	Associating, by one or more computer processors, the identified one or more particular terms with the vendor information associated with the particular 
h.	Obtaining, by one or more computer processors based at least in part on the vendor information associated with the particular vendor, publicly available privacy-related information associated with the particular vendor (accessing legal and financial information of vendors to assess privacy risk) (Muhart, [0060]).
While Muhart does not explicitly recite the information is “publicly available”, it is obvious to one of ordinary skill in the art that some legal and financial information is a matter of public record, such as bankruptcy, convictions, title deeds, and the like.
i.	Determining, by one or more computer processors, an expiration date for the at least one piece of the vendor assessment information (vendors are notified when an expiration date has occurred or will occur) (Muhart, [0033]).
j.	Storing, by one or more computer processors in a computer memory, the expiration date for the at least one piece of the vendor assessment information (expiration date of a vendor’s credentialing data is part of the information used for assessing the vendor) (Muhart, [0076]).
k.	Associating, by one or more computer processors in the computer memory, the expiration date for the at least one piece of the vendor assessment information (expiration date of a vendor’s credentialing data is part of the information used for assessing the vendor) (Muhart, [0076]).
Muhart as modified does not expressly mention a security certification with an expiration date. However, in an analogous art, Spoonamore teaches:

Therefore, one of ordinary skill in the art at the time the invention was made would have been motivated to implement the vendor risk assessment scheme of Muhart as modified with the security certification of Spoonamore in order to better manage risk as suggested by Spoonamore (Spoonamore, [0034]).
Muhart as modified further teaches:
m.	At least partially in response to determining that the at least one piece of the vendor assessment information comprises the security certification, identifying, by one or more computer processors, a particular weighting factor for the at least one piece of the vendor assessment information
n.	Assigning, by one or more computer processors, the particular weighting factor to the at least one piece of the vendor assessment information (calculating risk from gathered data) (Muhart, [0041]).
o.	Determining, by one or more computer processors, that the expiate date has occurred (vendors are notified when an expiration date has occurred or will occur) (Muhart, [0033]).
p.	At least partially in response to determining that the expiration date has occurred (vendors are notified when an expiration date has occurred or will occur) (Muhart, [0033]). , substantially automatically:

ii.	Transmitting, by one or more computer processors, the second privacy risk assessment questionnaire to the particular vendor
iii.	Receiving, by one or more computer processors, from the particular vendor, one or more responses to the second privacy risk assessment questionnaire, wherein the one or more responses comprise the updated security certification (notification email (second privacy risk assessment questionnaire) is sent) (Muhart, [0033]). As noted above, there is no way to ensure that the vendor would respond with a security certification and that if there is no response from the vendor then the particular security certification is not used in risk calculation.
iv.	Updating, by one or more computer processors, the at least one piece of the vendor assessment information with the updated security certification (updating vendor information including risk scores and gathering the most current data) (Muhart, [0077-0078]).
q.	Calculating, by one or more computer processors based at least in part on the vendor information associated with the particular vendor, the publicly available privacy-related information associated with the particular vendor, and the particular weighting factor to the at least one piece of the vendor assessment information, a risk score for the particular vendor (calculating risk from gathered data) (Muhart, [0031]).

s.	Presenting, by one or more computer processors on a graphical user interface: the risk score for the particular vendor (exemplary screenshot of risk table with risk score and subsets of various other information) (Muhart, [0104] and figs. 16A and 16B).
t.	At least a subset of the vendor information associated with the particular vendor (exemplary screenshot of risk table with risk score and subsets of various other information) (Muhart, [0104] and figs. 16A and 16B).
u.	At least a subset of the additional privacy-related information associated with the particular vendor (exemplary screenshot of risk table with risk score and subsets of various other information) (Muhart, [0104] and figs. 16A and 16B).

As to claim 16, Muhart as modified teaches determining the additional privacy-related information associated with the particular vendor is further based, at least in part, on the identified one or more particular terms (documents are analyzed with natural language processing) (Gates, 20:16-40).



	As to claim 19, Muhart as modified teaches calculating the risk score for the particular vendor is further based, at least in part, on the vendor assessment information associated with the particular vendor (selected vendor data gathered and delivered to requesting user) (Muhart, [0049]) and (calculating risk from gathered data) (Muhart, [0031]).

As to claim 20, Muhart as modified teaches determining the additional privacy-related information associated with the particular vendor is further based, at least in part, on the vendor assessment information associated with the particular vendor (selected vendor data gathered and delivered to requesting user) (Muhart, [0049]).

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM S POWERS whose telephone number is (571)272-8573.  The examiner can normally be reached on M-F 7:30-17:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on 571 270 3618.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/WILLIAM S POWERS/           Primary Examiner, Art Unit 2419