Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 02-09-2021 was in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Amendments
The amended claims 1 – 9 and 11 – 21 were considered under 35 USC 112, 101 double patenting and 103 for patentability over closest and analogous prior arts Baker et al (US Pub. #: 8527955), hereafter Bak and Noble et al (US Pub. #: 6895577), hereafter Nob have been fully considered and are persuasive. Claim 10 is cancelled.

Allowable Subject Matter
1.	Amended claims 1 – 9 and 11 – 21 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with John Garza (attorney) for filed claims on 10-08-2020:
1. (currently amended) A system for privacy risk assessment comprising:
a privacy risk identification engine to automatically identify a plurality of privacy risks in an application based on an analysis of application code comprising a plurality of portions, wherein each of the plurality of privacy risks is associated with one or more of the portions of 
a privacy risk assessment engine to: 
for each privacy risk of the plurality of privacy risks, determine a risk impact value based at least on a privacy impact score and a data type sensitivity score, wherein the privacy impact score is a measure of a each of the privacy risk; 
for each of the privacy risk of the plurality of privacy risks, determine a risk likelihood value based at least on a compensating controls score, wherein the compensating controls score is a measure of a level of existing controls that compensate for each of the privacy risk; 
for each of the privacy risk of the plurality of privacy risks, determine a privacy risk score based at least on the determined risk impact value and the determined risk likelihood value of each of the privacy risk; and
cause a plurality of indicators to be displayed on a display of the application code, wherein each indicator of the plurality of indicators is superimposed on a corresponding portion of the application code and indicates the privacy risk score for a privacy risk associated with the corresponding portion of the application code.

2. (original)	The system of claim 1, wherein the analysis of the application code includes data flow scanning and code scanning.

3. (previously amended) The system of claim 1, wherein the privacy impact score and the compensating controls score are based on privacy risk information, and wherein a privacy risk information engine obtains the privacy risk information by: 
generating a privacy risk questionnaire; and
receiving a response to the privacy risk questionnaire, the response including the privacy risk information.

4. (original) The system of claim 3, wherein the privacy risk questionnaire includes questions relating to at least two of privacy impact, data sensitivity type, nature of deployment, compensating controls, discovery skills, and correlation impact.

5. (previously amended) The system of claim 3, wherein: 
the privacy risk information includes, for each privacy risk of the plurality of privacy risks, privacy impact information, data sensitivity type information, nature of deployment information, compensating controls information, discovery skills information, and correlation impact information.  



the privacy risk assessment engine is to determine the risk likelihood value based on a nature of deployment score, the compensating controls score, and a discovery skills score, wherein the discovery skills score is a measure of skills required to exploit the particular privacy risk.

7. (original)	The system of claim 6, wherein each of the privacy impact score, the data type sensitivity score, the nature of deployment score, and the compensating controls score is assigned a different weighting factor.

8. (previously amended) The system of claim 1, wherein the privacy risk assessment engine is to: 
categorize each privacy risk of the plurality of privacy risks based on the assessed privacy risk score; and
assign an indicator to each privacy risk of the plurality of privacy risks based on the categorization.

9. (previously amended) The system of claim 8, wherein the privacy risk assessment engine is to: 
determine risk remediation options for each privacy risk of the plurality of privacy risks based on the assessed privacy risk score; and
automatically generate a product risks working report, the product risks working report including each privacy risk of the plurality of privacy risks and the risk remediation options.

10. (canceled).

identifying, by a processor, a plurality of privacy risks in an application based on an analysis of application code comprising a plurality of portions, wherein each of the plurality of privacy risks is associated with one or more of the portions of the application code;
for each privacy risk of the plurality of privacy risks, the processor determining a risk impact value based at least on a privacy impact score and a data type sensitivity score, wherein the privacy impact score is a measure of a each of the privacy risk; 
for each of the privacy risk of the plurality of privacy risks, the processor determining a risk likelihood value based at least on a compensating controls score, wherein the compensating controls score is a measure of a level of existing controls that compensate for each of the privacy risk; 
for each of the privacy risk of the plurality of privacy risks, the processor determining a privacy risk score based at least on the determined risk impact value and the determined risk likelihood value of each of the privacy risk; and
causing, by the processor, a plurality of indicators to be displayed on a display of the application code, wherein each indicator of the plurality of indicators is superimposed on a corresponding portion of the application code and indicates the privacy risk score for a privacy risk associated with the corresponding portion of the application code.  

12. (previously amended) The method of claim 11, including generating the privacy impact score and the compensating controls score based on privacy risk information, wherein the privacy risk information is obtained from a privacy risk questionnaire.  

13. (currently amended)	The method of claim 12, including, for each privacy risk of the plurality of privacy risks:

determining the risk likelihood value based on the compensating controls score, a nature of deployment score, and a discovery skills score.


automatically identify a plurality of privacy risks in an application based on an analysis of application code comprising a plurality of portions, wherein each of the plurality of privacy risks is associated with one or more of the portions of the application code;
for each privacy risk of the plurality of privacy risks, determine a risk impact value based at least on a privacy impact score and a data type sensitivity score, wherein the privacy impact score is a measure of a each of the privacy risk; 
for each of the privacy risk of the plurality of privacy risks, determine a risk likelihood value based at least on a compensating controls score, wherein the compensating controls score is a measure of a level of existing controls that compensate for each of the privacy risk; 
for each of the privacy risk of the plurality of privacy risks, determine a privacy risk score based at least on the determined risk impact value and the determined risk likelihood value of the privacy risk; and
cause a plurality of indicators to be displayed on a display of the application code, wherein each indicator of the plurality of indicators is superimposed on a corresponding portion of the application code and indicates the privacy risk score for a privacy risk associated with the corresponding portion of the application code.  

15. (currently amended) The non-transitory machine-readable storage medium of claim 14, including instructions executable to cause the processor to:

determine the risk likelihood value based on a nature of deployment score, the compensating controls score, and a discovery skills score, wherein the discovery skills score is a measure of skills required to exploit the particular privacy risk.

16. (previously presented) The non-transitory machine-readable storage medium of claim 15, wherein each of the privacy impact score, the data type sensitivity score, the nature of deployment score, and the compensating controls score is assigned a different weighting factor.


automatically identify risk remediation options for each privacy risk of the plurality of privacy risks based on the privacy risk score of the privacy risk.

18. (previously amended) The non-transitory machine-readable storage medium of claim 14, wherein each indicator of the plurality of indicators has one of a plurality of colors, wherein the color of the indicator indicates the privacy risk score of the privacy risk.

19. (previously amended) The system of claim 1, wherein each indicator of the plurality of indicators has one of a plurality of colors, wherein the color of the indicator indicates the privacy risk score of the privacy risk. 

20. (previously amended) The method of claim 11, wherein the indicator of the plurality of indicators has a particular color that indicates the privacy risk score of the privacy risk. 

21. (previously amended) The method of claim 11, comprising:
automatically identifying risk remediation options for each privacy risk of the plurality of privacy risks based on the privacy risk score of the privacy risk.
 
Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Bak teaches Col. 10 lines 6-10, 49-51, Figs. 19-41: an automated code inspection service is performed on code, which creates output information. The report generation tool operable to generate a report containing, e.g., defect analysis metrics, using the classified tool output information, e.g., received from the defect classification mapping tool. The report generation tool may report defect discoveries and provide detailed reports of findings, including mitigated risk. Col. 5 lines 43-46: defect classification , type, qualifier and severity level, amongst other classifications). See Figs. 44-46, 48-58, Cols. 15-16: The report may also include a histogram of defects found, for example, by tool error category and implications - a quantification of accessibility defects found using a particular code inspection service for two rules and/or industry standards. Accessibility errors, injection defects etc. The errors are quantified by severity level, e.g., severity 1, 2 or 3. Bak: Figs. 3 – 59: Figs. 21: sensitive information, Fig. 37: indicates CICS, production environments; Figs. 50-53: privacy risk tests, java code review, empty code, dead code, error report, Fig. 39, 59: code dependencies including static, dynamic, inheritance, circular dependency calls between objects etc.

Further, a second prior art of record Nob teaches: Col. 12 lines 1-4: the user may select to display only a portion of a program's structure chart, allowing the user to quickly focus in on parts of the program believed to be most impacted by a particular code change. Col. 2 lines 24-27: a single risk metric is calculated which indicates the relative risk of not thoroughly testing the program or a portion of the program. Col. 15 lines 42-46: a program under test with a risk metric above is highlighted in a manner such that the program under test having this risk factor is distinguishable from other parts of the code that may have lower risk factors.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: for each privacy risk a risk impact and likelihood values are computed, where the privacy impact value is based on the privacy impact score and a data type sensitivity score and the risk likelihood value is based on compensating controls to compensate the privacy risk for a risk factor. Both the impact and the likelihood values are computed to determine the privacy risk score for each privacy risk. The privacy risk indicators are further superimposed on the executable application code according to the corresponding privacy risk score computed for that portion of code. 

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record.  The same reasoning applies to independent claims 11 and 14 mutatis mutandis. Claims 10 is cancelled.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892 Notice of References Cited.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/BADRINARAYANAN /Examiner, Art Unit 2438.