DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 U.S.C. § 101
35 U.S.C. § 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-16 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.  

Claims 1, 12 are directed to an abstract idea of displaying a report in an interface based on data retrieved. The underlying concept is merely collecting information, analyzing it, and display certain results – this concept is not meaningfully different than those concepts found by the courts to be abstract (See: Electrical Power, collecting information, analyzing it, and display certain results of the collection and analysis).
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as a combination do not amount to significantly more than the abstract idea. For example, independent claim 1 recites the additional elements of “generate a visual report depicting the privacy impact score on a user interface of the system ", independent claim 12 recites the additional elements of “binning the data source into privacy rating bins according to the calculated privacy impact score; and displaying on a graphical user interface visual depictions of the calculated privacy impact score according to the privacy rating bins” , which are still generic functions of displaying content in an interface. Generic displaying functions, without an inventive concept, do not amount to significantly more than the abstract idea. Looking at the elements as a combination does not add anything more than the elements analyzed individually. Therefore, these claims do not amount to significantly more than the abstract idea itself. The claim is not patent eligible.  
Claims 2-11, 12-16 merely recite other additional elements that either define the data sources, medadata, or visual report, etc. that when looking at the elements as a combination does not add anything more than the elements analyzed individually. Therefore, these claims also do not amount to significantly more than the abstract idea itself. These claims are not patent eligible.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-9, 12-14, 16 are rejected under 35 U.S.C. 102(a)(1)as being anticipated by Bar et al. (hereinafter Bar) US 2018/0330100.
In regard to claim 1, Bar disclose A system comprising: ([0011] system)
a processor; ([0014] processor) and
a computer-readable storage medium storing instructions that, when executed by the processor, cause the system to: ([0014]-[0015] 124, 122, 120) 
receive metadata representing privacy data from a data source; ([0012] receive privacy risk information from a client device) 
process, with a privacy model, the metadata to determine a privacy impact score associated with the data source;  ([0014]-[0015] assign privacy risk scores based on the analysis of privacy risk information) and
generate a visual report depicting the privacy impact score on a user interface of the system. ([0029]-[0031] [0039] display graphics to indicate privacy risk scores on the user interface) 
In regard to claim 2, Bar disclose The system of claim 1, the rejection is incorporated herein.
Bar also disclose wherein the data source is a software application and the metadata is extracted from the software application. ([0010] [0013] [0015] [0023] privacy risk information is retrieved from the privacy risk questionnaire responses, for example, etc. which is a software application)
In regard to claim 3, Bar disclose The system of claim 1, the rejection is incorporated herein.
Bar also disclose wherein the data source is a privacy impact assessment and the metadata is extracted from the privacy impact assessment. ([0013] [0015] [0023][0032]  privacy risk information is retrieved from the privacy risk questionnaire responses, for example) 
In regard to claim 4, Bar disclose The system of claim 1, the rejection is incorporated herein.
Bar also disclose wherein the metadata includes taxonomies specifying data types, data usage of the data types, and de-identification levels of the data types. ([0010][0023][0024] [0029]-[0032] data is categorized based on the assessed severity level, the type of application, data sensitivity type, etc.)
In regard to claim 5, Bar disclose The system of claim 4, the rejection is incorporated herein.
Bar also disclose wherein the metadata further includes privacy sensitivity scores associated with the data types, the data usage of the data types, and the de-identification levels of the data types. ([0023]-[0026] [0028]-[0032] data sensitivity score relate to data types, etc.)

In regard to claim 6, Bar disclose   The system of claim 5, the rejection is incorporated herein.
Bar also disclose wherein the sensitivity scores are weighted scores provided by an organization. ([0027][0028]  sensitivity score are weighted score automatically provided) 
In regard to claim 7, Bar disclose The system of claim 5, the rejection is incorporated herein.
Bar also disclose wherein the sensitivity scores are weighted scores that are weighted according to legal or regulatory frameworks. ([0009] [0027][0028]  sensitivity score are weighted score automatically provided, weighting method is an implementation choice which is not an invention) 
In regard to claim 8, Bar disclose    The system of claim 1, the rejection is incorporated herein.
Bar also disclose wherein the visual report depicts privacy assessments associated with one or more data sources on a graph of the user interface. ([0029]-[0031] [0039] display graphics to indicate privacy risk scores corresponding to privacy risk assessment from the questionnaires on the user interface) 
In regard to claim 9, Bar disclose   The system of claim 8, the rejection is incorporated herein.
Bar also disclose wherein a plot point on the graph corresponds to an aggregated data type impact score and an aggregated data use impact score. ([0029]-[0031] [0039] display graphics to indicate each of privacy risks on the user interface, how to construct the graph based on the data set available is an implementation choice, not an invention, which is well known to the people with skill in the art) 
In regard to claim 12, Bar disclose A method comprising: ([0027] method)
extracting metadata representing privacy data utilized by a data source from a database, ([0010] [0013] [0015] [0023] [0036] [0043] privacy risk information is retrieved from the privacy risk questionnaire responses, for example, from a database) the metadata defining data types, data uses of the data types, and de-identification levels of the data types;  ([0010][0023][0024] [0029]-[0032] data is categorized based on the assessed severity level, the type of application, data sensitivity type, etc.)
calculating a privacy impact score based at least on the metadata; ([0014]-[0015][0026]-[0029] [0042] privacy risk scores are calculated based on the analysis of privacy risk information)
binning the data source into privacy rating bins according to the calculated privacy impact score; ([0029]-[0033] categorize each of privacy risks based on the accessed privacy risk score)  and
displaying on a graphical user interface visual depictions of the calculated privacy impact score according to the privacy rating bins. ([0029]-[0033][0039] display graphics to indicate categorized privacy risk scores on the user interface) 
In regard to claim 13, Bar disclose The method of claim 12, the rejection is incorporated herein.
Bar also disclose further comprising normalizing the privacy impact score based at least on previously calculated privacy impact scores. ([0025]-[0031] [0039] calculate the privacy impact score based on the previous scores using weighting factor.) 
In regard to claim 14, Bar disclose  The method of claim 12, the rejection is incorporated herein.
Bar also disclose wherein the visual depiction of the calculated privacy impact is a visual graph with plot points depicting privacy impact scores of one or more data sources. ([0029]-[0031] [0039] display graphics to indicate each of privacy risks on the user interface, for example, dots of various colors, etc. how to construct the graph based on the data set available is an implementation choice, not an invention, which is well known to the people with skill in the art) 
In regard to claim 16, Bar disclose    The method of claim 13, the rejection is incorporated herein.
Bar also disclose wherein the privacy impact score is calculated based on aggregating scores associated with the data types, and aggregating scores associated with the data uses of the data types. ([0024]-[0031] privacy impact score is calculated based on the scores associated with type, or applications, etc. with various weighting factors)
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 10-11, 15, 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bar et al. (hereinafter Bar) US 2018/0330100 in view of Bennett et al. (hereinafter Bennett) US 2010/0275263
In regard to claim 10, Bar disclose   The system of claim 9, the rejection is incorporated herein.
But Bar fail to explicitly disclose “wherein computer-readable instructions, when executed by the processor, further cause the processor to: receive a user selection on at least one plot point on the graph; and display information regarding the data source associated with the plot point selected according to the user selection.”
Bennett disclose wherein computer-readable instructions, when executed by the processor, further cause the processor to: receive a user selection on at least one plot point on the graph; and display information regarding the data source associated with the plot point selected according to the user selection.  ([0065][0077] user can “mouse over” or “click down” to see some additional detail data related to the user selection) 
It would have been obvious to one having ordinary skill in the art before the effective filing data of the claimed invention was made to incorporate Bennett’s interactive graphs into Bar’s invention as they are related to the same field endeavor of displaying information on a user interface. The motivation to combine these arts, as proposed above, at least because Bennett’s interactive graphs would display more data on the graph to Bar’s system. Therefore it would have been obvious to one having ordinary skill in the art before the effective filing data of the claimed invention was made that manipulating data on the graph would help to provide more intuitive ways to display the data and therefore to improve the user experience using the device.
In regard to claim 11, Bar and Bennett disclose The system of claim 10, the rejection is incorporated herein.
But Bar fail to explicitly disclose “wherein computer-readable instructions, when executed by the processor, further cause the processor to provide a recommendation regarding reducing the privacy impact score associated with the data source.”
Bennett disclose wherein computer-readable instructions, when executed by the processor, further cause the processor to provide a recommendation regarding reducing the privacy impact score associated with the data source. (Fig. 12, [0014][0019] [0063][0065][0077] [0095] [0086][0212][0224]  user can select information from the graph representing the privacy score, display a report and graphics and what-if scenarios regarding to reduce the risk)
It would have been obvious to one having ordinary skill in the art before the effective filing data of the claimed invention was made to incorporate Bennett’s interactive graphs into Bar’s invention as they are related to the same field endeavor of displaying information on a user interface. The motivation to combine these arts, as proposed above, at least because Bennett’s interactive graphs would display more data on the graph to Bar’s system. Therefore it would have been obvious to one having ordinary skill in the art before the effective filing data of the claimed invention was made that manipulating data on the graph would help to provide more intuitive ways to display the data and therefore to improve the user experience using the device.
In regard to claim 15, Bar and Bennett disclose  The method of claim 14, the rejection is incorporated herein.
But Bar fail to explicitly disclose “further comprising: receiving a selection of a plot point associated with one of the data sources depicted on the visual graph; and displaying information associated with the selected plot point.”
Bennett disclose further comprising: receiving a selection of a plot point associated with one of the data sources depicted on the visual graph; and displaying information associated with the selected plot point.  ([0065][0077] user can “mouse over” or “click down” to see some additional detail data related to the user selection) 
It would have been obvious to one having ordinary skill in the art before the effective filing data of the claimed invention was made to incorporate Bennett’s interactive graphs into Bar’s invention as they are related to the same field endeavor of displaying information on a user interface. The motivation to combine these arts, as proposed above, at least because Bennett’s interactive graphs would display more data on the graph to Bar’s system. Therefore it would have been obvious to one having ordinary skill in the art before the effective filing data of the claimed invention was made that manipulating data on the graph would help to provide more intuitive ways to display the data and therefore to improve the user experience using the device.
In regard to claim 17, Bar disclose   A system comprising: ([0011] system)
a display of the system configured to depict a graphical user interface; ([0014] a user interface on a display ) 
a processor; ([0014] processor) and
a storage memory storing computer-readable instructions, which when executed by the processor, cause the processor to: ([0014]-[0015] 124, 122, 120) 
display, via the graphical user interface, data associated with privacy ratings for one or more data sources; ([0029]-[0031] [0039] display graphics to indicate privacy risk scores on the user interface from applications) 
But Bar fail to explicitly disclose “receive a selection of at least one plot point representing a privacy impact score on the graphical user interface; determine whether a modification to metadata associated with the privacy impact score results in a reduction of the privacy impact score; and display a recommendation on the graphical user interface concerning the modification.”
Bennett disclose receive a selection of at least one plot point representing a privacy impact score on the graphical user interface; (Fig. 12, [0019] [0065][0077] [0095] [0086][0212][02165]  user can select information from the graph representing the privacy score)
determine whether a modification to metadata associated with the privacy impact score results in a reduction of the privacy impact score; ([0014] [0063][0077][0107] [0125] [0131][0132]  create what-if scenarios to determine if the risk is reduced or minimized, etc ) and 
display a recommendation on the graphical user interface concerning the modification. ([0014] [0063] [0077][0107] [0224] display a report and graphics and what-if scenarios regarding to change)
It would have been obvious to one having ordinary skill in the art before the effective filing data of the claimed invention was made to incorporate Bennett’s interactive graphs into Bar’s invention as they are related to the same field endeavor of displaying information on a user interface. The motivation to combine these arts, as proposed above, at least because Bennett’s interactive graphs would display more data on the graph to Bar’s system. Therefore it would have been obvious to one having ordinary skill in the art before the effective filing data of the claimed invention was made that manipulating data on the graph would help to provide more intuitive ways to display the data and therefore to improve the user experience using the device.
In regard to claim 18, Bar and Bennett disclose The system of claim 17, the rejection is incorporated herein.
Bar also disclose wherein the privacy impact score is calculated based at least on aggregating sensitivity scores associated with data types used in a data source, and aggregating sensitivity scores associated with data uses of the data types used in the data source.  ([0023]-[0032] privacy impact score is calculated based on the scores associated with sensitivity scores relate to type, or applications, etc. with various weighting factors)
In regard to claim 19, Bar and Bennett disclose The system of claim 18, the rejection is incorporated herein.
Bar also disclose wherein the privacy impact score is based at least on a de-identification level associated with the data types used in the data source. ([0010][0023][0024] [0029]-[0032] privacy impact score is categorized based on the assessed severity level associated with the type of application , etc.)
In regard to claim 20, Bar and Bennett disclose   The system of claim 17, the rejection is incorporated herein.
Bar also disclose wherein a size of a plot point displayed on the graphical user interface is influenced by the privacy impact score. ([0031][0039] highlighted a particular color based on the score of the privacy impact score or change size to indicate the level of severity is well known to the people with skill in the art and it is an implantation choice, not an invention)
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant's disclosure. 
U.S. Patent Documents
PATENT PUB. #	PUB. DATE	INVENTOR(S)	TITLE

US 2014/0278730 A1	September 18, 2014			MUHART et al.
VENDOR MANAGEMENT SYSTEM AND METHOD FOR VENDOR RISK PROFILE AND RISK RELATIONSHIP GENERATION
US 20160188883 A1J	une 30, 2016					Wang et al.
ELECTRONIC SYSTEM WITH RISK PRESENTATION MECHANISM AND METHOD OF OPERATION THEREOF
Any inquiry concerning this communication or earlier communications from the examiner should be directed to XUYANG XIA whose telephone number is (571)270-3045.  The examiner can normally be reached on Monday-Friday 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jennifer To can be reached on 571-272-7212.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


XUYANG XIA
Primary Examiner
Art Unit 2143



/XUYANG XIA/Primary Examiner, Art Unit 2143