DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is in response to papers filed on 11/4/2020.
Claims 1, 10, and 19 have been amended.
No claims have been cancelled.
No claims have been added.
Claims 1-20 are pending.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claims are directed to a process (method as introduced in Claims 1 and 19) and/or a system, and will be considered under the appropriate 35 USC § 101 analysis.
Claims 1 and 10 recite receiving data (enrollment indication, user data, entity breach data), generating indicators for collected data, comparing indicators to thresholds, generating and providing notifications.  The limitations of receiving enrollment indications, receiving user information, generating indications based on entity data breaches, comparing indicators to thresholds, generating notifications based on comparison and instructions for actions, receiving user inputs for provided options, 
Additionally, the limitations, as drafted, is a process that, under its broadest reasonable interpretation, covers performance concepts performed in the human mind (including an observation, evaluation, judgment, opinion) which represents the abstract idea of mental steps. That is, other than reciting a computer implementation, nothing in the claim elements precludes the step from encompassing the managing of user interactions.
This judicial exception is not integrated into a practical application.  In particular, the claims recite the following additional elements:
– Using a computer and/or processor to perform the recited steps. The processor used in these steps is recited at a high-level of generality (i.e., as a generic processor performing a generic computer functions of collecting, transmitting, and analyzing data).
– Using machine-readable storage media and/or memory.  The computer used in these steps is recited at a high-level of generality (i.e., as a generic processor performing a generic computer functions of storing data).
Symantec (see MPEP 2106.05(d)(II)), Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362).  The use of generic computer components to transmit information through an unspecified interface does not impose any meaningful limit on the computer implementation of the abstract idea.
These elements are performed such that they amount to no more than mere instructions to apply the exception using generic computer components as discussed in MPEP 2106.05(f). Accordingly, these additional elements do not, nor does the claim as a whole, integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claims does not include additional elements, individually or in combination, that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform the steps amounts to no more than mere instructions to apply the exception using a generic computer 
Claims 2 and 11 recite further elements related to specific types of notifications.  These activities fail to differentiate the claims from the related activities in the parent claims and fail to provide any material to render the claimed invention to be significantly more than the identified abstract ideas, because the specific type of notification does not significantly affect the processing of the claimed invention.  The claims are directed to the same abstract ideas identified in the independent claims and simply provide further details for this abstract idea.  The claims do not provide any new additional limitations beyond abstract idea that are not addressed above in the independent claims therefore, they do not integrate the abstract idea into a practical application nor do they provide significantly more to the abstract idea.  Therefore, Claims 2 and 11 are ineligible.
Claims 3, 12, and 20 recite further elements related to specific types of service (banking).  These activities fail to differentiate the claims from the related activities in the parent claims and fail to provide any material to render the claimed invention to be significantly more than the identified abstract ideas, because the specific type of service does not significantly affect the processing of the claimed invention.  The claims are directed to the same abstract ideas identified in the independent claims and simply provide further details for this abstract idea.  The claims do not provide any new additional limitations beyond abstract idea that are not addressed above in the independent claims therefore, they do not integrate the abstract idea into a practical 
Claims 4, 6, 7 and 13, 15, 16 recite further elements related to the generating of indicators, comparing those indicators to thresholds, and/or describing the thresholds.  These activities fail to differentiate the claims from the related activities in the parent claims and fail to provide any material to render the claimed invention to be significantly more than the identified abstract ideas.  The claims are directed to the same abstract ideas identified in the independent claims and simply provide further details for this abstract idea.  The claims do not provide any new additional limitations beyond abstract idea that are not addressed above in the independent claims therefore, they do not integrate the abstract idea into a practical application nor do they provide significantly more to the abstract idea.  Therefore, Claims 4, 6, 7 and 13, 15, 16 are ineligible.
Claims 5, 8, 14, and 17 recite elements that appear in independent Claim 19 and are addressed along with that claim above.  Therefore, Claims 5, 8, 14, and 17 are ineligible.
Claims 9 and 18 recite further elements related to specific actions recommended with the notification.  These activities fail to differentiate the claims from the related activities in the parent claims and fail to provide any material to render the claimed invention to be significantly more than the identified abstract ideas, because the specific actions are not performed as part of the claimed invention and therefore does not significantly affect the processing of the claimed invention.  The claims are directed to the same abstract ideas identified in the independent claims and simply provide further details for this abstract idea.  The claims do not provide any new additional limitations 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-4, 8-13, 17, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Van Dyke (Pub. No. US 2020/0193018 A1) in view of DeLawter et al. (Pub. No. US 2016/0364727 A1) in further view of Federgreen et al. (Pub. No. US 2015/0154520 A1) in further view of Target (“Target Customers are Targeted in Massive Data Breach”).
In regards to Claims 1 and 10, Van Dyke discloses:
A computer-implemented method, comprising: 
receiving, by a provider computing system, an indicator of enrollment of a user in a breach notification service; ([0038], consumer enrolls in the breach notification system (“BC”))
collects data regarding user personal information and exposure of that information, which would indicate that a consumer is specifically identified in the breach (“In one example, the BC server 12 receives exposure information and/or accesses exposure information stored in the data structure 22, and uses an algorithm 10 to assign an initial exposure rating 132 (see FIGS. 19-23) to each breach event 70, where the exposure rating 132 indicates to the consumer of the likelihood of exposure of their data from that breach event 70. The exposure information can include, for example, information received from the breached entity regarding the extent to which the breached information elements 68 have been exposed, e.g., distributed in an unauthorized manner, the types of exposures which have occurred and/or are anticipated to occur, for example, exposure of the breached information elements 68 via a network, website, by unauthorized publication, etc., qualitative and/or quantitative research related to exposure patterns for breaches and/or breached data similar to the breach event 70, etc.”))
generating, by the provider computing system, one or more indicators of a data breach for an entity that stores one of data regarding the user or an indication of a transaction with the user; ([0041], system receives breach information and generates an indicator for the breach (exposure ratings), the breach data is received from entities themselves (“…a breached entity reporting information related to a breach of its own data…”) that includes data regarding a consumer (“…which can include, for example, a breach descriptor 70 of the breached entity, such as a company name (for example, "Azure Jewelers" or "XYZ Bank"), breach event information including date(s) breached, information elements 68 breached and/or compromised by the breach (personally identifiable information (PII), protected health information (PHI)…”))
in response to determining that the one or more indicators meet the threshold, generating, by the provider computing system, a notification specific to the customer regarding the data breach; ([0045], “…provide a notification or alert to a consumer-victim of a breach event…”)
providing, by the provider computing system, the notification to the customer during a log-in process for a product or service associated with the provider computing system the notification being provided subsequent to an authorization of the user during the log-in process;. ([0038], shows a user accessing an account on the system to see breach information and the use of log-in credentials to access accounts; Fig. 9; Fig. 13; Fig. 14; Fig. 23, multiple screenshots showing the user account interface including a list of breach notifications that the user can access for more information, the data provided after the login authentication is complete)
including an option [for response] of the user for suspected fraudulent activity at the entity receiving, by the provider computing system, an indication from the user to exercise the option [for response] of the user for suspected fraudulent activity at the entity; ([0043], provides options for a user to respond to a breach for mitigation of the of the breach, including monitoring account transactions and changing card numbers)
and including an option to [monitor] transaction information of the user for suspected fraudulent activity at the entity ([0043], provides options for a user to respond to a breach for mitigation of the of the breach, including monitoring account transactions and changing card numbers)
“A compromise period of time (reflecting a likely period of time during which the compromise or hacking has occurred) may be defined by a compromise start date and a compromise end date. The compromise start date can be based on a period of time prior to the first reporting of the compromise, during which a predetermined large majority of the cards having fraudulent transactions (claims) can be back traced to the merchant.”)
It would have been obvious to one of ordinary skill in the art, at the time of filing, to have modified the system of Van Dyke so as to have included the use of a past predefined time period in generating breach indicators, as taught by DeLawter in order to increase the efficiency of detecting fraudulent activity and effected users (DeLawter, [0025]). 
Van Dyke/DeLawter discloses the use of an indicator (rating or score) used in regards to notifications of breaches, as described above.  Van Dyke/DeLawter does not explicitly disclose but Federgreen teaches:
determining, by the provider computing system, that the one or more indicators meet a threshold level for notifying the user of the data breach; (Claim 1; [0004], values are assigned to multiple indicators of a data breach and compared to a threshold to determine if a consumer needs to be notified)
It would have been obvious to one of ordinary skill in the art, at the time filing, to have modified the system of Van Dyke/DeLawter so as to have included determining, by 
Van Dyke discloses providing affected user with options to mitigate effects of an identified data breach, including monitoring transactions and changing card numbers, as discussed above.  Van Dyke/DeLawter/Federgreen does not explicitly disclose that the mitigation options include the scanning of the transaction information for suspected fraudulent activity or the deactivation of a credit card, however, Target teaches:
scanning, by the provider computing system, the transaction information for suspected fraudulent activity; and determining a fraudulent transaction based on scanning the transaction information; and at least one of i) deactivating, by the provider computing system, a payment card associated with the fraudulent transaction; or, ii) providing, by the provider computing system, a supplemental notification to the user regarding the determined fraudulent transaction from scanning the transaction information. (“If you used your credit or debit card purchase at a Target store during this time span, contact your card issuer to see if there are purchases on your account that you didn’t make and get a new card. Your issuer may have already shut downyour account. If your card has been used, you can follow the steps that the Federal Trade Commission recommends for identity theft victims.”, Target teaches that user can request that identification of fraudulent activities in response to a breach being identified (the request would entail searching transaction information which would be equivalent to the scanning steps)).
It would have been obvious to one of ordinary skill in the art as of the effective filing date of the claimed invention to have further modified the system of Van Dyke/DeLawter/Federgreen so as to have included the scanning, by the provider computing system, the transaction information for suspected fraudulent activity; and determining a fraudulent transaction based on scanning the transaction information; and at least one of i) deactivating, by the provider computing system, a payment card associated with the fraudulent transaction; or, ii) providing, by the provider computing system, a supplemental notification to the user regarding the determined fraudulent transaction from scanning the transaction information., as taught by Target.
One of ordinary skill in the art would have recognized that applying the known technique of Target would have yielded predictable results.  It would have been recognized that applying the technique of Target to Van Dyke/DeLawter/Federgreen would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such account monitoring features into similar systems.  Further, using an account transaction searching (or scanning) option in conjunction with a method/system for monitoring accounts and identifying fraudulent activity, would have been recognized by those ordinary skill in the art as resulting in an improved system that would allow additional options to user that include common and known actions (such as searching a transaction history I nan account).  (See KSR [127 S Ct. at 1739] "The combination of 
In regards to Claims 2 and 11, Van Dyke discloses:
wherein the notification is one of a splash page, a pop-up notification, a push notification, or a text message. ([0068], the breach event notifications list (which includes the notifications) in the user account can be presented as a pop-up screen)
In regards to Claims 3 and 12, Van Dyke discloses:
wherein the log-in process is one of a log-in process to access an online portal or a mobile application. ([0038]; Fig. 9; Fig. 13; Fig. 14; Fig. 23)
While Van Dyke/etc. discloses a method for providing a user breach notification and information when logged into an online portal for a service provider, Van Dyke/etc. does not disclose that the service provider is a “bank”.
However, the Examiner asserts that the data identifying the type of service provider hosting the online portal is simply a label for service provider and adds little, if anything, to the claimed acts or steps and thus does not serve to distinguish over the prior art. Any differences related merely to the meaning and information conveyed through labels (i.e., the specific type of service provider) which does not explicitly alter or impact the steps of the method does not patentably distinguish the claimed invention from the prior art in terms of patentability.
Therefore, it would have been obvious to a person of ordinary skill in the art at the time the invention was made to have the breach information provided through a online portal for banking (or any other online portal to which a use logs in) because type of service provider does not functionally alter or relate to the steps of the method and 
In regards to Claims 4 and 13, Van Dyke/DeLawter does not explicitly disclose but Federgreen teaches:
wherein determining that the one or more indicators meet the threshold level comprises: 
assigning, by the provider computing system, a risk level to each of the one or more indicators; (Claim 1; [0004])
comparing, by the provider computing system, a sum of the risk levels of the one or more indicators to the threshold level; (Claim 1; [0004]) 
determining, by the provider computing system, that the sum of the risk levels meet or exceed the threshold level. (Claim 1; [0004], values are assigned to multiple indicators of a data breach and a combination of those indicators weights/values are compared to a threshold to determine if a consumer needs to be notified)
It would have been obvious to one of ordinary skill in the art, at the time filing, to have modified the system of Van Dyke/DeLawter so as to have included wherein determining that the one or more indicators meet the threshold level comprises: assigning, by the provider computing system, a risk level to each of the one or more indicators; comparing, by the provider computing system, a sum of the risk levels of the one or more indicators to the threshold level; and determining, by the provider computing system, that the sum of the risk levels meet or exceed the threshold level, as taught by Federgreen in order to ensure that laws, rules, and/or regulations are met regarding notification requirements for data breaches (Federgreen, [0002]). 
In regards to Claims 8 and 17, Van Dyke discloses:
wherein generating the notification specific to the user comprises: including, by the provider computing system, instructions for taking one or more user- specific corrective actions to address the data breach in the notification; and facilitating, by the provider computing system, the one or more user-specific corrective actions from the notification. ([0004], “…providing recommendations for mitigation actions to reduce a consumer's risk of identity theft or other harms, following notification that the consumer has been exposed to risk as a result of a particular data breach or compromise…”; [0005], “The outputs generated by the BC system are presented, e.g., displayed and/or outputted, to the consumer-victim via a user interface designed in one example, such that the consumer can view a consolidated display showing a BC score, identified risks, mitigation actions, and in one example, can action the mitigation actions and/or additional information via the user interface.”)
In regards to Claims 9 and 18, Van Dyke discloses:
wherein the one or more user-specific corrective actions comprise one or more of setting up a mobile wallet for the user, setting up a temporary virtual credit card for the user, issuing the user a new payment card with a new account number, requiring the user for a certain period of time to manually confirm future transactions before the future transactions are processed, or one or more actions used to remedy a past data breach. (Fig. 11, shows multiple corrective actions, such as “Reissue payment card” ([0043] also refers to a change of account number associated with a card), “Change affected password” (example of an action to remedy a past data breach regarding a compromised password or account, see also [0043]), etc.
Claims 5-7, 14-16, 19, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Van Dyke in view of DeLawter in further view of Federgreen in further view of Target in further view of Binns et al.  (Pub. No. US 2018/0308099 A1).
In regards to Claims 5 and 14, Van Dyke/etc. discloses the use of thresholds to determine notifications for users regarding breached data, as described above.  Van Van Dyke/etc. does not explicitly disclose but Binns teaches:
wherein the threshold level includes a first threshold and a second threshold, the second threshold being larger than the first threshold, such that the second threshold is associated with a higher risk level than the first threshold. ([0045]; [0067]; [0075])
It would have been obvious to one of ordinary skill in the art, at the time of filing, to have modified the system of Van Dyke/etc. so as to have included wherein the threshold level includes a first threshold and a second threshold, the second threshold being larger than the first threshold, such that the second threshold is associated with a higher risk level than the first threshold, as taught by Binns in order to provide feedback regarding breached data based on the severity of the breach (Binns, [0023]). 
In regards to Claims 6 and 15, Van Dyke discloses:
generating, by the provider computing system, the notification to include one or more suggested corrective actions to increase security and reduce a likeliness of a data breach between the entity and the user. ([0004]; [0034]; [0046])
Van Dyke/etc. does not explicitly disclose but Binns teaches:
generating the notification in response to determining that the one or more indicators meet the first threshold but not the second threshold ([0043], shows notifications being generated based on multiple scores and thresholds; [0045]; [0067]; [0075], use of multiple thresholds (including aggregated score falling between a higher and lower threshold) includes determinations of actions that can be taken (“corrective actions”, “mitigations”))
It would have been obvious to one of ordinary skill in the art, at the time of filing, to have modified the system of Van Dyke/etc. so as to have included generating the notification in response to determining that the one or more indicators meet the first threshold but not the second threshold, as taught by Binns in order to provide feedback regarding breached data based on the severity of the breach (Binns, [0023]). 
In regards to Claims 7 and 16, Van Dyke/etc. does not explicitly disclose but Binns teaches:
wherein generating the notification specific to the user comprises, in response to determining that the one or more indicators meet the second threshold, generating, by the provider computing system, the notification to direct the user to one or more corrective actions to take immediately. ([0075], score exceeds second threshold; [0076], user notification directs the user to at least one action to take immediately (approve or disapprove transaction))
It would have been obvious to one of ordinary skill in the art, at the time of filing, to have modified the system of Van Dyke/etc. so as to have included wherein generating the notification specific to the user comprises, in response to determining that the one or more indicators meet the second threshold, generating, by the provider computing system, the notification to direct the user to one or more corrective actions to 
In regards to Claim 19, Van Dyke discloses:
A computer-implemented method, comprising: 
receiving, by a provider computing system, an indicator of enrollment of a user in a breach notification service; ([0038], consumer enrolls in the breach notification system (“BC”))
acquiring, by the provider computing system, information regarding the user; ([0041], collects data regarding user personal information and exposure of that information, which would indicate that a consumer is specifically identified in the breach (“In one example, the BC server 12 receives exposure information and/or accesses exposure information stored in the data structure 22, and uses an algorithm 10 to assign an initial exposure rating 132 (see FIGS. 19-23) to each breach event 70, where the exposure rating 132 indicates to the consumer of the likelihood of exposure of their data from that breach event 70. The exposure information can include, for example, information received from the breached entity regarding the extent to which the breached information elements 68 have been exposed, e.g., distributed in an unauthorized manner, the types of exposures which have occurred and/or are anticipated to occur, for example, exposure of the breached information elements 68 via a network, website, by unauthorized publication, etc., qualitative and/or quantitative research related to exposure patterns for breaches and/or breached data similar to the breach event 70, etc.”))
system receives breach information and generates an indicator for the breach (exposure ratings), the breach data is received from entities themselves (“…a breached entity reporting information related to a breach of its own data…”) that includes data regarding a consumer (“…which can include, for example, a breach descriptor 70 of the breached entity, such as a company name (for example, "Azure Jewelers" or "XYZ Bank"), breach event information including date(s) breached, information elements 68 breached and/or compromised by the breach (personally identifiable information (PII), protected health information (PHI)…”))
in response to determining that the one or more indicators meet the threshold, generating, by the provider computing system, a notification specific to the customer regarding the data breach; ([0045], “…provide a notification or alert to a consumer-victim of a breach event…”)
providing, by the provider computing system, the notification to the customer during a log-in process for a product or service associated with the provider computing system. ([0038], shows a user accessing an account on the system to see breach information and the use of log-in credentials to access accounts; Fig. 9; Fig. 13; Fig. 14; Fig. 23; multiple screenshots showing the user account interface including a list of breach notifications that the user can access for more information)
herein the notification includes instructions for taking one or more user-specific corrective actions to address the data breach, and wherein the notification facilitates the one or more user-specific corrective actions from the notification; ([0004], “…providing recommendations for mitigation actions to reduce a consumer's risk of identity theft or other harms, following notification that the consumer has been exposed to risk as a result of a particular data breach or compromise…”; [0005], “The outputs generated by the BC system are presented, e.g., displayed and/or outputted, to the consumer-victim via a user interface designed in one example, such that the consumer can view a consolidated display showing a BC score, identified risks, mitigation actions, and in one example, can action the mitigation actions and/or additional information via the user interface.”)
Van Dyke discloses the use of time periods for which a breach occurred ([0041]), but, Van Dyke does not explicitly disclose identifying breeches during a pre-defined time period.  However, DeLawter teaches the use of a past predefined time period in generating breach indicators ([0025], “A compromise period of time (reflecting a likely period of time during which the compromise or hacking has occurred) may be defined by a compromise start date and a compromise end date. The compromise start date can be based on a period of time prior to the first reporting of the compromise, during which a predetermined large majority of the cards having fraudulent transactions (claims) can be back traced to the merchant.”)
It would have been obvious to one of ordinary skill in the art, at the time of filing, to have modified the system of Van Dyke so as to have included the use of a past predefined time period in generating breach indicators, as taught by DeLawter in order to increase the efficiency of detecting fraudulent activity and effected users (DeLawter, [0025]). 

determining, by the provider computing system, that the one or more indicators meet a threshold level for notifying the user of the data breach; (Claim 1; [0004], values are assigned to multiple indicators of a data breach and compared to a threshold to determine if a consumer needs to be notified)
It would have been obvious to one of ordinary skill in the art, at the time filing, to have modified the system of Van Dyke/DeLawter so as to have included determining, by the provider computing system, that the one or more indicators meet a threshold level for notifying the user of the data breach as taught by Federgreen in order to ensure that laws, rules, and/or regulations are met regarding notification requirements for data breaches (Federgreen, [0002]). 
Van Dyke/etc. discloses the use of thresholds to determine notifications for users regarding breached data, as described above.  Van Dyke/etc. does not explicitly disclose but Binns teaches:
determining, by the provider computing system, that the one or more indicators meet at least one of two or more thresholds for notifying the user of the data breach, the two or more thresholds comprising a first threshold and a second threshold that is higher than the first threshold and associated with a higher risk level than the first threshold; ([0045]; [0067]; [0075])
It would have been obvious to one of ordinary skill in the art, at the time of filing, to have modified the system of Van Dyke/etc. so as to have included wherein the 
In regards to Claim 20, Van Dyke discloses:
wherein the log-in process is one of a log-in process to access an online portal or a mobile application. ([0038]; Fig. 9; Fig. 13; Fig. 14; Fig. 23)
While Van Dyke/etc. discloses a method for providing a user breach notification and information when logged into a an online portal for a service provider, Van Dyke/etc.  does not disclose that the service provider is a “bank”.
However, the Examiner asserts that the data identifying the type of service provider hosting the online portal is simply a label for service provider and adds little, if anything, to the claimed acts or steps and thus does not serve to distinguish over the prior art. Any differences related merely to the meaning and information conveyed through labels (i.e., the specific type of service provider) which does not explicitly alter or impact the steps of the method does not patentably distinguish the claimed invention from the prior art in terms of patentability.
Therefore, it would have been obvious to a person of ordinary skill in the art at the time the invention was made to have the breach information provided through a online portal for banking (or any other online portal to which a use logs in) because type of service provider does not functionally alter or relate to the steps of the method and merely labeling the information differently from that in the prior art does not patentably distinguish the claimed invention.
Additional Prior Art Not Relied Upon
Steinberg et al. (Pub. No. US 2006/0090073 A1). Discloses the scanning of transactions, logs, and activities in order to identify, take action, and prevent suspicious activity (see at least [0018])
Iaroshevych (Pub. No. US 2019/0098053 A1). Discloses alerts and reviewing account activity for security issues (see at least [0049]; [0056])
Michel et al. (Patent No. US 9,392,008 B1). Discloses alerts and  deactivating cards in response to identified data breaches (see at least column 1, paragraph 6 to column 3, paragraph 3)

Response to Arguments
Applicant’s arguments filed 11/4/2020 have been fully considered but they are not persuasive. 
I. Rejection of Claims under 35 U.S.C. §101
Applicant argues that the claimed invention provides an improvement to the art regarding reach notification systems.  Applicant discusses the steps in the claimed invention, however, it is not demonstrated how these cause an improvement in the art.  For example, Applicant does not provide evidence or support to show that prior systems were unable to or would not perform the steps recited (such as identifying breaches, providing alerts, allowing users to scan/search transaction histories, providing data/alerts after authentication of a user, providing data alerts at a time of login, deactivating cards/accountsetc.).  It is not clear that prior systems were unable to or 
II. Rejection of Claims under 35 U.S.C. §103
Applicant’s arguments are drawn to the newly added claim material and are therefore moot in view of the new prior art rejections, citations, and/or explanations provided above.
Applicant argues that the references do not disclose “subsequent to an authorization during a login event”. The activities performed in the prior art are performed after the authentication of a login process is completed.  The data is not provided before the user is authenticated, as they pertain to security related systems.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAUN D SENSENIG whose telephone number is (571)270-5393.  The examiner can normally be reached on M-F: 10:00am-4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynda Jasmin can be reached on 571-272-6872.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MEHMET YESILDAG/Primary Examiner, Art Unit 3624