DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 9/10/2021 has been placed of record in the file.
Claim 10 has been amended.
Claims 1-10, 14, 15, 17, 18, and 20 are pending.
The applicant’s arguments with respect to claims 1-10, 14, 15, 17, 18, and 20 have been fully considered but they are not persuasive as discussed below.
The IDS filed 7/7/2021, the IDS filed 9/10/2021, and the second IDS filed 9/10/2021 have been considered.

Claim Rejections - 35 USC § 102
7.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
8.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

s 1-6, 8-10, 14, 15, 17, 18, and 20 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Zimmermann et al. (U.S. Patent Application Publication Number 2018/0027006), hereinafter referred to as Zimmermann.
Regarding claim 1, Zimmermann discloses a tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors, cause the processors to implement a method of incident-driven and user-targeted data loss prevention, the method including: a cloud access security broker (abbreviated CASB) controlling exfiltration of sensitive content in documents stored on cloud-based services in use by users of an organization by monitoring manipulation of the documents (paragraph 97, cloud security fabric, and paragraph 114, CSF hosts security services including context analysis services, etc.); in response to receiving an indication that credentials of a particular one of the users have been compromised, the CASB identifying one or more of the cloud-based services that the particular one of the users has access to and at least one document location on the cloud-based services to inspect for sensitive documents (paragraph 264, identifying sensitive data and compromised account); the CASB performing deep inspection of documents identified as stored at the document location and detecting at least some sensitive documents (paragraph 114, analyze documents for sensitive information); and based on the detected sensitive documents, the CASB determining a data exposure for the organization due to the compromised credentials of the particular one of the users (paragraph 384, identify exposure levels).
Regarding claim 2, Zimmermann discloses wherein the compromised credentials include a single sign-on (abbreviated SSO) authentication for accessing the one or more of the cloud-based services (paragraph 111, SSO).
Regarding claim 3, Zimmermann discloses wherein the data exposure is determined based on a count of the detected sensitive documents (paragraph 570, tracks access to documents with sensitive information).
Regarding claim 4, Zimmermann discloses program instructions that, when executed on processors, cause the processors to implement the method including: the CASB measuring regulatory compliance based on the count of the detected sensitive documents and detecting regulatory violations; and flagging the regulatory violations for reporting to a regulatory authority (paragraph 549, reporting for compliance requirements).
Regarding claim 5, Zimmermann discloses wherein compromise of the documents subject to the data exposure is determined based on determination by the CASB that the detected sensitive documents were transmitted out of the at least one of the cloud-based services from the identified document location on or after a date of interest (paragraph 114, sensitive data shared outside of organization).
Regarding claim 6, Zimmermann discloses wherein the transmission is detected based on examination of activity logs previously generated, in advance of receiving the indication, from document deposit to, retrieval from, and sharing via the at least one of the cloud-based services (paragraph 120, event logs).
Regarding claim 8, Zimmermann discloses program instructions that, when executed on processors, cause the processors to implement the method including: in response to receiving an indication that a particular one of the users has exited the organization, the CASB identifying at least one document location on at least one of the cloud-based services that the particular one of the users continued to have access to post-exit; the CASB performing deep inspection of documents stored at the identified document location and detecting at least some sensitive 
Regarding claim 9, Zimmermann discloses wherein date of interest is at least one of when the credentials were compromised and when the exit occurred (paragraph 533, detection date).
Regarding claim 10, Zimmermann discloses program instructions that, when executed on processors, cause the processors to implement the method including: in response to detecting the at least some sensitive documents, triggering a security action, wherein the security action is encrypting the sensitive documents with a key not accessible via the compromised credential (paragraph 120, encrypting sensitive data).
Regarding claim 14, Zimmermann discloses a tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors, cause the processors to implement a method of incident-driven and user-targeted data loss prevention, the method including: a cloud access security broker (abbreviated CASB) controlling exfiltration of sensitive content in documents stored on cloud-based services in use by users of an organization by monitoring manipulation of the documents (paragraph 97, cloud security fabric, and paragraph 114, CSF hosts security services including context analysis services, etc.); in response to receiving an indication that credentials of a particular one of the users have been compromised, the CASB identifying one or more of the cloud-based services that the particular one of the users has access to and at least one document location on the cloud-based services to inspect for sensitive documents (paragraph 264, identifying sensitive data and compromised account); the CASB detecting at least some sensitive documents identified as 
Regarding claim 15, Zimmermann discloses a computer-implemented method including executing on a processor the program instructions from the non-transitory computer readable storage media (paragraph 597, processor executes program instructions).
Regarding claim 17, Zimmermann discloses a computer-implemented method including executing on a processor the program instructions from the non-transitory computer readable storage media (paragraph 597, processor executes program instructions).
Regarding claim 18, Zimmermann discloses a system for incident-driven and user-targeted data loss prevention, the system including a processor, memory coupled to the processor, and computer instructions from the non-transitory computer readable storage media loaded into the memory (paragraph 597, computing platform).
Regarding claim 20, Zimmermann discloses a system for incident-driven and user-targeted data loss prevention without needing to perform content sensitivity scan, the system including a processor, memory coupled to the processor, and computer instructions loaded into .

Claim Rejections - 35 USC § 103
10.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

11.	Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Zimmermann in view of Brisebois et al. (U.S. Patent Application Publication Number 2017/0331777), hereinafter referred to as Brisebois.
Zimmermann disclosed techniques for securing enterprise computing systems.  In an analogous art, Brisebois disclosed techniques for managing emails based on data loss prevention policies.  Both systems are directed toward the detection and prevention of data loss.
Regarding claim 7, Zimmermann does not explicitly state wherein the at least one of the cloud-based services is a cloud-hosted email service and the identified document location is at least one of inbox folder, sent folder, outbox folder, drafts folder, and deleted folder.  However, identifying and managing email services for data loss prevention was well known in the art as evidenced by Brisebois.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Zimmermann by adding the ability that the at least one of the cloud-based services is a cloud-hosted email service and the identified document location is at least one of inbox folder, sent folder, outbox folder, drafts folder, and deleted folder as provided .

Response to Arguments
12.	In the remarks, the applicant has argued:
<Argument 1>
Zimmermann does not disclose the features of independent claim 1 because he does not disclose “determining a data exposure for the organization due to the compromised credentials” as recited in claim 1.
<Argument 2>
Zimmermann does not disclose the features of dependent claim 3 because he does not disclose “wherein the data exposure is determined based on a count of the detected sensitive documents” as recited in claim 3.
<Argument 3>
Zimmermann does not disclose the features of dependent claim 4 because he does not disclose “measuring regulatory compliance based on the count of the detected sensitive documents” as recited in claim 4.
<Argument 4>
Zimmermann does not disclose the features of dependent claim 5 because he does not disclose “determination…that the detected sensitive documents were transmitted out of 
13.	In response to argument 1, Zimmermann does disclose the features as recited in claim 1.  The rejection cites paragraph 384, which states the ability to identify exposure levels.  This is seen to meet the limitation at hand as an identification of a data exposure level is considered to be a determination of data exposure.  Contrary to the applicant’s assertion in the remarks that Zimmermann only teaches “triggering a policy that identifies a user who exposes documents to others”, the cited paragraph makes clear that a policy itself is used to identify multiple different exposure levels via the identification of newly exposed documents.
14.	In response to argument 2, Zimmermann does disclose the features as recited in claim 3.  The rejection cites paragraph 570, which states the ability to track access to documents with sensitive information.  This is seen to meet the limitation at hand as identifying access to such documents is considered to be a count and accounting of these documents.  The cited paragraph makes clear that Zimmermann’s system tracks exactly which documents are accessed.
15.	In response to argument 3, Zimmermann does disclose the features as recited in claim 4.  The rejection cites paragraph 549, which states reporting for compliance requirements.  This is seen to meet the limitation at hand as the results of the system’s analysis (the focus on the threats) can be considered against compliance requirements (to determine satisfaction or not of specific demands).  Concerning “the count of the detected sensitive documents”, the applicant is directed back to the response to argument 2 above.
16.	In response to argument 4, Zimmermann does disclose the features as recited in claim 5.  The rejection cites paragraph 114, which states that the system considers sensitive data that is 

Conclusion
17.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
18.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812.  The examiner can normally be reached on Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Victor Lesniewski/Primary Examiner, Art Unit 2493