DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	This office action is in response to applicant’s amendment filed on 10/13/2021.
	Claims 1-20 are pending and examined.
Response to Arguments
Applicant’s arguments filed on 10/13/2021 have been fully considered.
Per claims 1, 8 and 14, the examiner previously stated that the amendment appears to overcome the current rejection. However, upon further careful reading, the examiner believes the previously cited prior art Chin still suggests the claim limitations of “sending a first electronic correspondence to the requestor, wherein the first electronic correspondence comprises an authentication token; and sending a second electronic correspondence to the requestor, wherein the second electronic correspondence comprises a link that the requestor may select to gain access to the data by providing the authentication token” (Figs. 3, 4; paragraphs [0018]-[0020][0042]-[0045]; after determining login is successful, a server generates an authentication token and provides it to the requester (first electronic correspondence); the server also provides a content page code to the requester; upon receiving subsequent input from a user (after receiving the content page code), the browser application may send a new content request to the server; the server provides the requested content (second electronic correspondence) to the browser, the browser displays the new content page code; the requester can click on a link on the content page to request and retrieve more content from the user account, the request includes the authentication token).


The examiner is available for a phone interview with applicant.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 8-9, 12-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chin et al. (US PGPUB 2010/0161973) hereinafter Chin, in view of Ayed (US PGPUB 2012/0019379).

Per claim 1, Chin discloses “a method comprising: receiving a data subject access request to access data for a data subject from a requestor, wherein the data subject access request comprises an identifying characteristic for the data subject; determining by computing hardware whether the data subject exist based at least in part on the identifying characteristic for the data subject” (Fig. 4; paragraphs [0002][0003][0045]; a user logins to access information on the user’s account (data subject access request); a login request may include a user name and password (characteristic for the data subject); the login may be successful if the received user name and password match (determining exists) a stored user name and password); “responsive to determining the requestor is the data subject; sending a first electronic correspondence to the requestor, wherein the first electronic correspondence comprises an authentication token; and sending a second electronic correspondence to the requestor, wherein the second electronic correspondence comprises a link that the requestor may select to gain access to the data by providing the authentication token” (Figs. 3, 4; paragraphs [0018]-[0020][0042]-[0045]; after determining login is successful, a server generates an authentication token and provides it to the requester (first electronic correspondence); the server also provides a content page code to the requester; upon receiving subsequent input from a user, the browser application may send a new content request to the server; the server provides the requested content (second electronic correspondence) to the browser, the browser displays the new content page code; the requester can click on a link on the content page to request and retrieve more content from the user account, the request includes the authentication token).
Chin discloses validating user login information, but does not explicitly teach “responsive to determining the data subject exists, providing by computing hardware a plurality of knowledge-based authentication questions configured to validate the requestor as the data subject; receiving a response to at least one of the plurality of knowledge-based authentication questions from the requestor; determining whether the requestor is the data subject based at least in part on the response provided by the requestor to the at least one of the plurality of knowledge-based authentication questions being correct”. However, Ayed suggests the above (Fig. 17; paragraphs [0327][0328][0340]-[0343][0346]; a multi-factor authentication method for gaining access to an application, after a user’s password is validated (first factor), providing more authentication questions (more factors) to validate the requester, questions include asking the user’s city, birthday, age, or requesting the user to enter something (a response) only the user knows; after the user is authenticated (determination), the user is granted access to the application).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Chin and Ayed to utilize a multi-factored authentication method in Ayed (asking additional authentication questions after validating the user’s name and password) to grant the user access to user 

Per claim 2, Chin further suggests “wherein the link is configured to open a graphical user interface to gain access to the data, and the graphical user interface is configured to request the requestor to provide the authentication token to access the data” (Figs. 3, 4; paragraphs [0018]-[0020][0042]-[0045]; the server also provides a content page code to the requester; a browser (user interface) displays the content page code; the requester can click on a link on the content page to request and retrieve content from the user account, the browser would display the requested content; the user clicking on the link would result in the authentication token automatically be sent to the server; it would have been obvious that the browser can prompt a user whether or not to send the authentication token to the server, as this gives the user more flexibility and control over the authentication process).

Per claim 3, Chin further suggests “wherein the graphical user interface comprises a website that is accessible via the link through a browser executing on a computing device being used by the requestor” (Figs. 3, 4; paragraphs [0018]-[0020][0042]-[0045]; the server also provides a content page code to the requester; a browser (user interface) displays the content page code (web page); the requester can click on a link on the content page to request and retrieve content from the user account, the browser would display the requested content).

Per claim 4, Chin further suggests “generating by computing hardware a unique identifier for the data subject access request; and providing the unique identifier to the requestor, wherein the graphical user interface requests the requestor to provide the unique identifier along with the authentication token to access the data” (paragraphs [0047][0048]; the server generates a unique user login identifier, the user login identifier may be associated with the user's session and is valid for the length of the session, the user login identifier information is included in the authentication token (which also includes additional information) and to be used in the authentication process; therefore, when the authentication token is utilized to access user data, the user login identifier information is also being utilized to access user data).

Per claim 5, Ayed further suggests “wherein providing the plurality of knowledge-based authentication questions comprises providing the plurality of knowledge-based authentication questions for display on a graphical user interface so that the requestor can provide the response to the at least one of the plurality of knowledge-based authentication questions” (paragraphs [0340]-[0343][0346][0358]; a multi-factor authentication method for gaining access to an application, after a user’s password is validated (first factor), providing more authentication questions (more factors) to validate the requester, questions include asking the user’s city, birthday, age, or requesting the user to enter something (a response) only the user knows; questions are asked through a display).

Per claim 6, Ayed further suggests “providing by computing hardware the identifying characteristic for the data subject to a third-party system; receiving third-party data for the data subject from the third-party system; and generating by computing hardware the plurality of knowledge-based authentication questions based at least in part on the third-party data, wherein the third-party data comprises a correct response to each of the plurality of knowledge-based authentication questions” (paragraphs 0162][0171][0297][0340]-[0343][0346]; a multi-factor authentication method for gaining access to an application, after a user’s password is validated (first factor), providing more authentication questions (more factors) to validate the requester, questions 

Per claim 8, Chin discloses “A system comprising: a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer-readable medium, wherein, the processing device is configured to execute the instructions and thereby perform operations comprising” (Fig. 2) “receiving a data subject access request to access personal data from a requestor” (Fig. 4; paragraphs [0002][0003][0045]; a user logins to access information on the user’s account (data subject access request)); “responsive to determining the requestor is the data subject: providing an authentication token to the requestor through a first electronic correspondence; and providing a link to the requestor through a second electronic correspondence, wherein the link is configured to be selected by the requestor to gain access to the personal data by providing the authentication token” (Figs. 3, 4; paragraphs [0018]-[0020][0042]-[0045]; after determining login is successful, a server generates an authentication token and provides it to the requester (first electronic correspondence); the server also provides a content page code to the requester; upon receiving subsequent input from a user, the browser application may send a new content request to the server; the server provides the requested content (second electronic correspondence) to the browser, the browser displays the content page code; the requester can click on a link on the content page to request and retrieve more content from the user account, the request includes the authentication token).

Chin discloses validating user login information, but does not explicitly teach “responsive to receiving the data subject access request, providing a knowledge-based authentication question for display via a graphical user interface to the requestor, the knowledge-based authentication question configured to validate the requestor as a data subject associated with the personal data; requesting a response to the knowledge-based authentication question from the requestor through the graphical user interface; receiving the response to the knowledge-based authentication question from the requestor; determining whether the requestor is the data subject based at least in part on the response provided by the requestor to the knowledge-based authentication question being correct; and”. However, Ayed suggests the above (Fig. 17; paragraphs [0327][0328][0340]-[0343][0346][0358]; a multi-factor authentication method for gaining access to an application, after a user’s password is validated (first factor), providing more authentication questions (more factors) to validate the requester, questions include asking the user’s city, birthday, age, or requesting the user to enter something (a response) only the user knows; after the user is authenticated (determination), the user is granted access to the application; questions are asked through a display).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Chin and Ayed to utilize a multi-factored authentication method in Ayed (asking additional authentication questions after validating the user’s name and password) to grant the user access to user account information, as the multi-factored authentication method is more secure than the single factored authentication commonly used.

Per claim 9, Chin in view of Ayed suggests “an identifying characteristic for the data subject and the operations further comprise: determining whether the data subjects exist based at least in part on the identifying characteristic for the data subject, in which the knowledge-based authentication question is provided for display via the graphical user interface in response to determining the data subject exists” (Chin, paragraphs [0002][0003][0045]; a login request may include a user name and password (characteristic for the data subject); the login may be successful if the received user name and password match (determining exists) a stored user name and password; Ayed, paragraphs [0327][0328][0340]-[0343][0346][0358]; a multi-factor authentication method for gaining access to an application, after a user’s password is validated (first factor), providing more authentication questions (more factors) to validate the requester, questions include asking the user’s city, birthday, age, or requesting the user to enter something (a response) only the user knows; questions are asked through a display).

Per claim 13, Ayed further suggests “receiving an image of an identifying document via the graphical user interface, in which determining whether the requestor is the data subject is also based at least in part on the image of the identifying document” (paragraphs [0340]-[0343][0320][0315]; a multi-factor authentication method for gaining access to an application, after a user’s password is validated (first factor), providing more authentication questions (more factors) to validate the requester, including asking a user to scan and capture an image of a hand to authenticate the user, or a user is asked to enter the user’s signature (an image) to authenticate the user).

Per claim 16, Ayed further suggests “wherein determining whether the data subject exist comprises submitting the identifying characteristic for the data subject to a third-party external system to confirm that an individual with the identifying characteristic exist” (paragraphs 0162][0171][0297][0340]-[0343][0346]; a multi-factor authentication method for gaining access to an application, after a user’s password is validated (first factor), providing more authentication questions (more factors) to validate the requester, questions include asking the user’s city, birthday, age, or 

Claims 12 and 18 are rejected under similar rationales as claim 6.
Claim 14 is rejected under similar rationales as claim 8.
Claim 15 is rejected under similar rationales as claim 9.
Claim 19 is rejected under similar rationales as claim 13.
Claim 20 is rejected under similar rationales as claim 1.

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Chin, in view of Ayed, and in view of Grigg et al. (US PGPUB 2016/0248781) hereinafter Grigg.

Per claim 7, Chin does not teach “identifying a type for the data subject access request; and determining by the computing hardware, based at least in part on the type, a number of the plurality of knowledge-based authentication questions required to be answered with a correct response to validate the requestor as the data subject”. However, Grigg suggests the above (Fig. 1C,
paragraphs [0003][0022][0023][0051]; a banking application to allow a user to perform various functions with respect to the user's account with the bank; a user-selected preference to allow a user different levels of access to an application; a user can request for accessing a particular access level of the application, each access level requires a specified type of authentication; a higher level of .

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Chin, in view of Ayed, and in view of Schultz (US PGPUB 20080288299).

Per claim 10, Chin discloses validating a user’s name and password, but does not explicitly teach “determining whether the data subject exists by submitting the identifying characteristic for the data subject to a credit reporting agency to confirm that an individual with the identifying characteristic exists”. However, this is a common practice in the field of the art, as evidenced in Schultz (claims 1-8, providing a user’s characteristic information to a credit reporting agency to confirm the identity of the user). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Chin, Ayed and Schultz to utilize a credit reporting agency to .

Claims 11 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Chin, in view of Ayed, and in view of Kode et al. (US PGPUB 2015/0339464) hereinafter Kode.

Per claim 11, Chin further suggests “wherein the link is configured to open a second graphical user interface to gain access to the personal data” (Figs. 3, 4; paragraphs [0018]-[0020][0042]-[0045]; a user logins to access information on the user’s account; the server also provides a content page code to the requester; a browser (user interface) displays the content page code; the requester can click on a link on the content page to request and retrieve content from the user account, the browser would display in a window (second graphical user interface) content from the clicked link). While Chin discloses sending an authentication token automatically to request access of person data, Chin does not explicitly teach “the second graphical user interface is configured to request the requestor to enter the authentication token into the second graphical user interface to access the personal data”. However, Kode suggests the above (paragraph [0042]; an application (graphical user interface) prompts a user to manually select a security token (or use other methods) to access a user account). Therefore, Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Chin, Ayed and Kode that instead of sending an authentication token automatically to request access of person data, a user is prompt to manually select a security token (or use other methods) in a 

Claim 17 is rejected under similar rationales as claim 11.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HANG PAN whose telephone number is (571)270-7667. The examiner can normally be reached 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HANG PAN/Primary Examiner, Art Unit 2193