Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Detailed action
Claims 1-4, 6-18 and 20 are pending and are being considered. 
Claims 1, 4, 6, 8 and 15 have been amended.
Claims 5 and 19 have been cancelled.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/30/2021, 05/28/2021, 06/29/2021, 07/22/2021 and 08/10/2021 was filed after the mailing date of the application no. 16/808,497 on 03/04/2020.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Examiner's Amendments
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee. Authorization for this examiner's amendment was given in a telephone interview and by Email from Aaron F. Bourgeois Reg. No. 57,936 on 08/31/2021.
AMEND THE CLAIMS AS FOLLOWS:
1.	(Currently Amended)  A computer-implemented data processing method for determining a required data privacy activity

	 retrieving, by the one or more computer processors based at least in part on the first jurisdiction, a first data privacy requirement for the first jurisdiction from a data structure using an ontology mapping the first data privacy requirement for the first jurisdiction to a second data privacy requirement for the second jurisdiction;
	 retrieving, by the one or more computer processors based on the ontology mapping the first data privacy requirement for the first jurisdiction to the second data privacy requirement for the second jurisdiction, the second data privacy requirement for the second jurisdiction from the data structure using the ontology;
 retrieving, by the one or more computer processors based on the first jurisdiction, a first enforcement parameter from the data structure using the ontology, wherein the first enforcement parameter indicates a first number of enforcement actions associated with the first data privacy requirement for the first jurisdiction performed in a particular time period;
 retrieving, by the one or more computer processors based at least in part on the second jurisdiction, a second enforcement parameter from the data structure using the ontology, wherein the second enforcement parameter indicates a second number of enforcement actions associated with the second data privacy requirement for the second jurisdiction performed in the particular time period;
determining, by the one or more computer processors, a first reporting score for the first jurisdiction based on a first business value for the first jurisdiction and the first enforcement parameter; 
determining, by the one or more computer processors, a second reporting score for the second jurisdiction based on a second business value for the second jurisdiction and the second enforcement parameter;

in response to determining that satisfying the first data privacy requirement for the first jurisdiction conflicts with satisfying the second data privacy requirement for the second jurisdiction, automatically, by the one or more computer processors: 
calculating a first risk level associated with not satisfying the first data privacy requirement for the first jurisdiction using the first reporting score for the first jurisdiction; and
calculating a second risk level associated with not satisfying the second data privacy requirement for the second jurisdiction using the second reporting score for the second jurisdiction;
performing, by the one or more computer processors, a comparison of the first risk level with the second risk level to determine which of the first risk level and the second risk level is a lowest risk level;
determining, by the one or more computer processors based on the lowest risk level, a required data privacy activity; 
mapping, by the one or more computer processors, the required data privacy activity to a master question in a master questionnaire; 
electronically generating, by the one or more computer processors, a second graphical user interface comprising the master questionnaire;
electronically receiving, by the one or more computer processors, data responsive to the master question via the second graphical user interface; 
wherein:
calculating the first risk level associated with not satisfying the first data privacy requirement for the first jurisdiction comprises determining a first fine imposition rate for violations of the first data privacy requirement for the first jurisdiction; and
calculating the second risk level associated with not satisfying the second data privacy requirement for the second jurisdiction comprises determining a second fine imposition rate for violations of the second data privacy requirement for the first jurisdiction.

4. 	(Currently amended) The computer-implemented data processing method of claim 1, wherein calculating the first risk level associated with not satisfying the first data privacy requirement for the first jurisdiction comprises determining a first penalty for not satisfying the first data privacy requirement for the first jurisdiction; and
wherein calculating the second risk level associated with not satisfying the second data privacy requirement for the second jurisdiction comprises determining a second penalty for not satisfying the second data privacy requirement for the first jurisdiction.

5.	(Cancelled) 
6.	(Currently amended) The computer-implemented data processing method of claim 1, wherein calculating the first risk level associated with not satisfying the first data privacy requirement for the first jurisdiction comprises determining a first volume of data processed in the first jurisdiction; and
calculating the second risk level associated with not satisfying the second data privacy requirement for the second jurisdiction comprises determining a second volume of data processed in the first jurisdiction.

8. 	(Currently amended) A computer-implemented data processing method for performing data breach response activities
	determining, by one or more computer processors, a first jurisdiction affected by a data breach;
	determining, by the one or more computer processors, a second jurisdiction affected by the data breach;
 retrieving, by the one or more computer processors based on the first jurisdiction, the first reporting requirement for the first jurisdiction from a data structure using an ontology mapping the first reporting requirement for the first jurisdiction to a second reporting requirement for the second jurisdiction;
 retrieving, by the one or more computer processors based on the ontology mapping the first reporting requirement for the first jurisdiction to the second reporting requirement for the second jurisdiction, the second reporting requirement for the second jurisdiction from the data structure using the ontology;
 retrieving, by the one or more computer processors based on the first jurisdiction, a first enforcement parameter from the data structure using the ontology, wherein the first enforcement parameter indicates a first number of enforcement actions associated with the first reporting requirement for the first jurisdiction performed in a particular time period;
 retrieving, by the one or more computer processors based on the second jurisdiction, a second enforcement parameter from the data structure using the ontology, wherein the second enforcement 
determining, by the one or more computer processors, a first reporting score for the first jurisdiction based on a first business value for the first jurisdiction and the first enforcement parameter; 
determining, by the one or more computer processors, a second reporting score for the second jurisdiction based on a second business value for the second jurisdiction and the second enforcement parameter;
determining, by the one or more computer processors, that performing both the first reporting requirement for the first jurisdiction and the second reporting requirement for the second jurisdiction is not possible;
in response to determining that performing both the first reporting requirement for the first jurisdiction and performing the second reporting requirement for the second jurisdiction is not possible, automatically, by the one or more computer processors: 
calculating a first risk level associated with not performing the first reporting requirement for the first jurisdiction using the first reporting score for the first jurisdiction, wherein calculating the first risk level comprises determining a first penalty for not satisfying the first reporting requirement for the first jurisdiction; and
calculating a second risk level associated with not performing the second reporting requirement for the second jurisdiction using the second reporting score for the second jurisdiction, wherein calculating the second risk level comprises determining a second penalty for not satisfying the second reporting requirement for the second jurisdiction;
performing, by the one or more computer processors, a comparison of the first risk level with the second risk level to determine that the first risk level is higher than the second risk level;

mapping, by the one or more computer processors, the first reporting requirement for the first jurisdiction to a master question in a master questionnaire and not mapping the second reporting requirement for the second jurisdiction to a question in the master questionnaire;
electronically generating, by the one or more computer processors, a graphical user interface comprising the master questionnaire;
 electronically receiving, by the one or more computer processors, data responsive to the master question via the graphical user interface;
 generating, by the one or more computer processors, an electronic link associating the data responsive to the master question with the first reporting requirement for the first jurisdiction in the data structure using the ontology; and
automatically performing, by the one or more computer processors, the first reporting requirement for the first jurisdiction.

15. 	(Currently amended) A data breach response system comprising: 
 	one or more processors; and
	computer memory, wherein the data breach response system is configured for:
generating a data breach information interface soliciting a first affected jurisdiction, a second affected jurisdiction, and data breach information;
presenting the data breach information interface to a user;

 retrieving, based on the first affected jurisdiction and the data breach information, a first data breach response requirement for the first affected jurisdiction from a data structure using an ontology mapping the first data breach response requirement for the first affected jurisdiction to a second data breach response requirement for the second affected jurisdiction;
 retrieving, based on the second affected jurisdiction, the ontology mapping the first data breach response requirement for the first affected jurisdiction to the second data breach response requirement for the second affected jurisdiction, and the data breach information, the second data breach response requirement for the second affected jurisdiction from the data structure using the ontology; 
 retrieving, based on the first affected jurisdiction, a first enforcement parameter from the data structure using the ontology, wherein the first enforcement parameter indicates a first number of enforcement actions associated with the first data breach response requirement for the first affected jurisdiction in a particular time period;
 retrieving, based on the second affected jurisdiction, a second parameter from the data structure using the ontology, wherein the second enforcement parameter indicates a second number of enforcement actions associated with the second data breach response requirement enforcement for the second affected jurisdiction in the particular time period;
determining a first reporting score for the first affected jurisdiction based on a first business value for the first affected jurisdiction and the first enforcement parameter; 

determining that performing both the first data breach response requirement for the first affected jurisdiction and the second data breach response requirement for the second affected jurisdiction is not possible; and
in response to determining that performing both the first data breach response requirement for the first affected jurisdiction and the second data breach response requirement for the second affected jurisdiction is not possible: 
calculating a first risk level associated with not performing the first data breach response requirement for the first affected jurisdiction using the first reporting score for the first affected jurisdiction; and
calculating a second risk level associated with not performing the second data breach response requirement for the second affected jurisdiction using the second reporting score for the second affected jurisdiction;
performing a comparison of the first risk level with the second risk level to determine that the first risk level is higher than the second risk level;
generating a master questionnaire comprising a master question;
mapping the first data breach response requirement for the first affected jurisdiction to the master question in the ontology and not mapping the second data breach response requirement for the second affected jurisdiction to a question in the master questionnaire;
generating a graphical user interface comprising the master questionnaire;

generating an electronic link associating the data responsive to the master question with the first data breach response requirement for the first affected jurisdiction in the data structure using the ontology; 
generating a first data breach disclosure report for the first affected jurisdiction, the first data breach disclosure report comprising the data responsive to the master question, wherein:
the first reporting score for the first affected jurisdiction is further based at least in part on a first penalty associated with not satisfying a first reporting requirement for the first affected jurisdiction; and
the second reporting score for the second affected jurisdiction is further based at least in part on a second penalty associated with not satisfying a second reporting requirement for the second affected jurisdiction.

19. 	(Cancelled) 

Response to arguments
Applicants arguments filled on 07/28/2021 have been fully considered and are persuasive.
Allowable Subject matter
Claims 1-4, 6-18 and 20 are allowed.
Examiner’s Statement of Reason for Allowance
According to 37 C.F.R. 1.104(e), it is the examiner's discretion to evaluate at the time of allowance whether the record of the prosecution as a whole does not make clear his or her reasons for 
The following is an examiner’s statement of reasons for allowance:
In interpreting the currently amended claims in light of the specification, the Examiner finds the claimed invention to be patentably distinct from the prior art of record.
The present invention is directed towards mapping various questions regarding a data breach from a master questionnaire to a plurality of territory-specific data breach disclosure questionnaires. The answers to the questions in the master questionnaire are used to populate the territory-specific data breach disclosure questionnaires and determine whether disclosure is required in territory. The mapping is performed based on ontology between different jurisdiction requirement and calculating risk score of each jurisdiction when there is conflict between different jurisdictions. 
Claims 1, 8 and 15 identifies a unique and distinct feature of “……retrieving, by the one or more computer processors based on the first jurisdiction, a first enforcement parameter from the data structure using the ontology, wherein the first enforcement parameter indicates a first number of enforcement actions associated with the first data privacy requirement for the first jurisdiction performed in a particular time period; retrieving, by the one or more computer processors based at least in part on the second jurisdiction, a second enforcement parameter from the data structure using the ontology, wherein the second enforcement parameter indicates a second number of enforcement actions associated with the second data privacy requirement for the second jurisdiction performed in the particular time period;……. in response to determining that satisfying the first data privacy requirement for the first jurisdiction conflicts with satisfying the second data privacy requirement for the second jurisdiction, automatically, by the one or more computer processors: calculating a first risk level associated with not satisfying the first data privacy requirement for the first jurisdiction using the first reporting score for the first jurisdiction; and calculating a second risk level associated with not satisfying the second data privacy requirement for the second jurisdiction using the second reporting score for the second jurisdiction;” including other limitations in the claims.
The closest prior art White et al (US 20160125680) is directed towards Methods and systems for displaying information derived from identification documents associated with individuals are disclosed. In some embodiments, the system first scans or retrieves identification information from an identification document. The system then receives information of an issuer of the identification document, information of a current location of the identification document, and information of a proposed use of the identification information. The system then receives a set of rules from a database based on the information of the issuer, the current location, and the proposed use.
White teaches receiving first and second jurisdiction requirement and determine if there is conflict between the first and second jurisdiction requirement and calculating risk score for not performing the jurisdiction requirement for each of the jurisdiction, however White fails to teach retrieving, by the one or more computer processors based on the first jurisdiction, a first enforcement parameter from the data structure using the ontology, wherein the first enforcement parameter indicates a first number of enforcement actions associated with the first data privacy requirement for the first jurisdiction performed in a particular time period; retrieving, by the one or more computer processors based at least in part on the second jurisdiction, a second enforcement parameter from the data structure using the ontology, wherein the second enforcement parameter indicates a second number of enforcement actions associated with the second data privacy requirement for the second jurisdiction performed in the particular time period;……. in response to determining that satisfying the first data privacy requirement for the first jurisdiction conflicts with satisfying the second data privacy requirement for the second jurisdiction, automatically, by the one or more computer processors: 
The closest prior art Petran et al (US 20120226621) is directed towards a system comprising a database that stores inspection data from a plurality of restaurants that each experienced at least one associated foodborne illness outbreak and that stores inspection data from a plurality of restaurants that did not experience any foodborne illness outbreaks, a mapping that relates the inspection data from the plurality of restaurants that each experienced an associated foodborne illness outbreak to a standardized set of survey questions and that relates the inspection data from the plurality of restaurants that did not experience any foodborne illness outbreaks to the standardized set of survey questions, and at least one processor that identifies a set of one or more indicative violations from among the standardized set of survey questions that were recorded more frequently in the restaurants that experienced at least one associated foodborne illness outbreak than in the restaurants that did not experience any foodborne illness outbreaks. The processor may further determine a relative risk for each of the standardized set of survey questions based a failure rate per question for the plurality of restaurants that each experienced at least one associated foodborne illness outbreak by a failure rate per question for the plurality of restaurants that did not experience any foodborne illness outbreaks.
Petran teaches Ontology mapping of different jurisdiction requirement by determining reporting score based on business value and further based on enforcement parameter for each jurisdiction, however just like White, Petran also fails to teach retrieving, by the one or more computer processors based on the first jurisdiction, a first enforcement parameter from the data structure using the ontology, wherein the first enforcement parameter indicates a first number of enforcement actions associated with the first data privacy requirement for the first jurisdiction performed in a particular time period; 
The closest prior art Alvarez et al (US 20110270645) is directed towards data movement system comprises a rules repository configured to store rules associated with regulations of the first jurisdiction and the regulations of the second jurisdiction. A workflow manager is configured to determine jurisdictional complexity of the project as a function of the regulations of the first jurisdiction and the second jurisdiction. The workflow manager is configured to determine jurisdictional exposure of the project as a function of an organization's exposure to the first jurisdiction and the second jurisdiction. The workflow manager is configured to determine the risk of the project as a function of the jurisdictional complexity of the project and the jurisdictional exposure of the project.
Alvarez teaches calculating risk level for each jurisdiction and performing comparison between different risks score associated with each jurisdiction, however just like White and Petran, Alvarez also fails to teach retrieving, by the one or more computer processors based on the first jurisdiction, a first enforcement parameter from the data structure using the ontology, wherein the first enforcement parameter indicates a first number of enforcement actions associated with the first data privacy requirement for the first jurisdiction performed in a particular time period; retrieving, by the one or 

Therefore the prior art of record does not teach or suggest individually or in combination the particular limitation listed below as recited in the claims.
“retrieving, by the one or more computer processors based on the first jurisdiction, a first enforcement parameter from the data structure using the ontology, wherein the first enforcement parameter indicates a first number of enforcement actions associated with the first data privacy requirement for the first jurisdiction performed in a particular time period; retrieving, by the one or more computer processors based at least in part on the second jurisdiction, a second enforcement parameter from the data structure using the ontology, wherein the second enforcement parameter indicates a second number of enforcement actions associated with the second data privacy requirement for the second jurisdiction performed in the particular time period;……. in response to determining that satisfying the first data privacy requirement for the first jurisdiction conflicts with satisfying the second data privacy requirement for the second jurisdiction, automatically, by the one or more computer processors: calculating a first risk level associated with not satisfying the first data privacy requirement for the first jurisdiction using the first reporting score for the first jurisdiction; and calculating a second risk level associated with not satisfying the second data privacy requirement for the second jurisdiction using the second reporting score for the second jurisdiction.”

None of the prior art of record, either taken individually or in any combination, would have anticipated or made obvious the invention of the instant application at or before the time it was filled.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522.  The examiner can normally be reached on 7AM-5PM EST M-TH Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 






/MOEEN KHAN/               Examiner, Art Unit 2436                                                                                                                                                                                         

/FATOUMATA TRAORE/               Primary Examiner, Art Unit 2436