DETAILED ACTION
1. 	Applicant’s election without traverse of claims 8-20 (group II) in the reply filed on December 6th 2021 is acknowledged. Claims 1-7 are canceled and claims 8-20 are pending. Following examiner’s amendment claims 15, 17 and 19 are amended and claim 18 is canceled. Thus, claims 8-17 and 19-20 are pending and claims 8 and 15 are independent.  
Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority	
	3.	This application filed on filed 06/07/2021 is a continuation in part of 17139650, filed 12/31/2020, now U.S. Patent #11030563. 17139650 is a continuation of 16808503, filed 03/04/2020, now U.S. Patent #10885485. 16808503 Claims Priority from Provisional Application 62813584, filed 03/04/2019. 16808503 is a continuation in part of 16714355, filed 12/13/2019, now U.S. Patent #10692033. 16714355 is a continuation of 16403358, filed 05/03/2019, now U.S. Patent #10510031. 16403358 is a continuation of 16159634, filed 10/13/2018, now U.S. Patent #10282692. 16159634 is a continuation in part of 16055083, filed 08/04/2018, now U.S. Patent #10289870. 16055083 is a continuation in part of 15996208, filed 06/01/2018, now U.S. Patent #10181051. 15996208 is a continuation in part of 15853674, filed 12/22/2017, now U.S. Patent #10019597. 15853674 is a continuation in part of 15619455, filed 06/10/2017, now U.S. Patent #9851966. 15619455 is a continuation in part of 15254901, filed 09/01/2016, now U.S. Patent #9729583. 15254901 Claims Priority from Provisional Application 62348695, filed 06/10/2016.				
Information Disclosure Statement
4.	The information disclosure statements (IDS) submitted on 06/28/2021; 02/22/2021; 08/10/2021; 09/30/2021; 10/21/2021 and 11/30/2021 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto.
Drawings
5.	The drawings filed on June 7th, 2021 are accepted. 
Specification
6.	The specification filed on June 7th, 2021 is also accepted. 

7.	On December 15th, 2021, applicant's representative Alfred Steven Nugent, IV Cust. No. 93,485 and examiner conducted examiner initiated telephone interview. The summary of the interview is attached. 
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Alfred Steven Nugent, IV Cust. No. 93,485, on December 15th, 2021.


	The application has been amended as follows:




1. – 7. (Cancelled) 

8.	(Original) A system comprising:
	a non-transitory computer-readable medium storing instructions; and
	processing hardware communicatively coupled to the non-transitory computer-readable medium, wherein the processing hardware is configured to execute the instructions and thereby perform operations comprising:
identifying data breach data and affected jurisdictions for a data breach;
determining data breach response requirements for each of the affected jurisdictions based on the data breach data;
obtaining data breach response prioritization data;
generating a response plan for the data breach by evaluating the data breach response requirements against the data breach response prioritization data;
generating, based on the response plan, a graphical user interface by configuring a first set of navigation elements on the graphical user interface and excluding a second set of navigation elements from the graphical user interface, wherein:
each respective navigation element of the first set of navigation elements is configured for navigating to a different respective display element that presents a first different respective data breach response requirement, and
each respective navigation element of the second set of navigation elements is configured for navigating to a different respective display element that presents a second different respective data breach response requirement;
transmitting a first instruction to a user device to present the graphical user interface on the user device;
detecting a selection of a first navigation element of the first set of navigation elements; and
in response to detecting the selection of the first navigation element, transmitting a second instruction to the user device causing the user device to retrieve and present the respective display element for the first navigation element on the user device.

9.	(Original) The system of Claim 8, wherein the processing hardware is further configured to perform operations comprising:
completing a first data breach response requirement; and
responsive to performing the first data breach response requirement, modifying the graphical user interface by excluding a second navigation element from the first set of navigation elements, wherein the second navigation element is configured for navigating to a second display element that presents the first data breach response requirement. 

10. 	(Original) The system of Claim 8, wherein:
	a third navigation element of the first set of navigation elements displays a completion status of a second data breach response requirement; and
	the method further comprises:
causing performance of the second data breach response requirement; and
responsive to causing the performance of the second data breach response requirement, modifying, by the computing hardware, the third navigation element to indicate the completion status of the second data breach response requirement to reflect the performance of the second data breach response requirement.

11. 	(Original) The system of Claim 8, wherein:
the processing hardware is further configured to perform operations comprising, obtaining data breach requirement enforcement data for each of the affected jurisdictions; and
	generating the response plan for the data breach is further based on evaluating the data breach response requirements against the data breach requirement enforcement data for each of the affected jurisdictions.  

12.	(Original) The system of Claim 8, wherein the data breach response prioritization data comprises a user-provided prioritization of each of the affected jurisdictions. 

13.	(Original) The system of Claim 8, wherein the response plan comprises an ordered listing of at least one of the data breach response requirements.

14.	(Original) The system of claim 8, wherein configuring the first set of navigation elements on the graphical user interface comprises configuring each respective navigation element of the first set of navigation elements according to the response plan. 

15.	(Currently Amended) A system comprising:
	a non-transitory computer-readable medium storing instructions; and
	processing hardware communicatively coupled to the non-transitory computer-readable medium, wherein the processing hardware is configured to execute the instructions and thereby perform operations comprising:
identifying data breach data and affected jurisdictions for a data breach;
determining data breach response requirements for each of the affected jurisdictions based on the data breach data;
obtaining data breach response prioritization data;
generating a response plan for the data breach by evaluating the data breach response requirements against the data breach response prioritization data;
generating, based on the response plan, a graphical user interface by configuring a first navigation element on the graphical user interface and excluding a second navigation element from the graphical user interface, wherein:
the first navigation element is configured for navigating to a first display element that presents a first response requirement, and
the second navigation element is configured for navigating to a second display element that presents a second response requirement;
transmitting a first instruction to a user device to present the graphical user interface on the user device;
detecting a selection of the first navigation element; 
in response to detecting the selection of the first navigation element, transmitting a second instruction to the user device causing the user device to retrieve and present the first display element on the user device; and
causing performance of one of the data breach response requirements according to the response plan.

16.	(Original) The system of Claim 15, wherein the processing hardware is further configured to perform operations comprising performing each of the data breach response requirements according to the response plan.

17.	(Currently Amended) The system of Claim 15, wherein:
	the first response requirement for a first jurisdiction conflicts with the
	generating the response plan comprises evaluating the first response requirement and the second response requirement against the data breach response prioritization data to determine which of the first response requirement and the second response requirement to include in the response plan. 

18.	(Cancelled)

19.	(Currently Amended) The system of Claim 15, wherein:
	the first navigation element displays a completion status of the first response requirement; and
	the processing hardware is further configured to perform operations comprising:
causing performance of the first response requirement; and
responsive to causing the performance of the first response requirement, modifying, by the computing hardware, the first navigation element to indicate the completion status of the first response requirement to reflect the performance of the first response requirement.

20.	(Original) The system of Claim 15, wherein:
the processing hardware is further configured to perform operations comprising determining, by the computing hardware, a respective prioritization score for each of the affected jurisdictions based on at least one of penalty data for each of the affected jurisdictions, deadline data for each of the affected jurisdictions, and a number of data subjects affected by the data breach in each of the affected jurisdictions; and
generating the response plan is further based on the respective prioritization score for each of the affected jurisdictions.

Allowable Subject Matter
8.	Claims 8-17 and 19-20 are allowed. 
9.	The following is an examiner’s statements of reasons for allowance:
10. 	 The following references/prior arts disclose some of the claim limitation and the general subject matter recited in independent claims 8 and 15.


A system comprising: 
a non-transitory computer-readable medium storing instructions; and processing hardware communicatively coupled to the non-transitory computer-readable medium, wherein the processing hardware is configured to execute the instructions and thereby perform operations comprising [See at least paragraph 0049-0052 and figure 1, ref. 105,  FIG. 1 illustrates an exemplary system 100 for practicing aspects of the present technology. The system 100 may include a risk assessment system, hereinafter "system 105" that may be implemented in a cloud-based computing environment, or as a web server that is particularly purposed to manage data incidents. In general, a cloud-based computing environment is a resource that typically combines the computational power of a large grouping of processors and/or that combines the storage capacity of a large grouping of computer memories or storage devices. See also figure 15 and paragraph 0095, FIG. 15 illustrates an exemplary computing device 1500 that may be used to implement an embodiment of the present technology. The computing device 1500 of FIG. 15 (or portions thereof) may be implemented in the context of system 105 (FIG. 1). The computing device 1500 of FIG. 15 includes one or more processors 1510 and main memory 1520. Main memory 1520 stores, in part, instructions and data for execution by processor 1510. Main memory 1520 may store the executable code when in operation. The system 1500 of FIG. 15 further includes a mass storage device 1530, portable storage medium drive(s) 1540, output devices 1550, user input devices 1560, a graphics display 1570, and peripheral devices 1580.
identifying data breach data [Paragraph 0063, determined that the entity is an entrusted entity, the input module may further solicit data incident data for one or more data incidents. Pertinent data incident data may include the type of data that was compromised, the date of compromise, the amount of data that was compromised, were there security measures in place (e.g., encryption, redaction, etc.), was the incident intentional or unintentional, was the incident malicious or non-malicious, how the data was compromised (e.g., theft of laptop, database security failure, lost storage media, hacked application, hacked computing device (e.g., web server, email server, content repository, etc.), and other types of information that assist in determining a risk level for the data incident as well as any notification obligations] and affected jurisdictions for a data breach [See at least paragraphs 0067-0068 and 0070, generate at least one state rule for each selected state statute. Additionally, one or more federal rules may be selected and generated as well….generate a state or federal privacy rule by evaluating the state/federal statute and creating a plurality of qualifications from the statutes. Qualifications for a statute may include, for example, thresholds or formulas that are used to determine if the data incident data of a data incident violates the statute. Stated otherwise, these qualifications may be used as a mathematical model of a statute. Data incident data may be evaluated in light of the model. The resultant modeling may be used to generate a risk assessment for the data incident. risk assessments may be generated by modeling the data incident data to at least one state rule and at least one federal rule]; 

determining data breach response requirements for each of the affected jurisdictions based on the data breach data [See at least paragraphs 0067-0068 and 0070, generate at least one state rule for each selected state statute. Additionally, one or more federal rules may be selected and generated as well….generate a state or federal privacy rule by evaluating the state/federal statute and creating a plurality of qualifications from the statutes. Qualifications for a statute may include, for example, thresholds or formulas that are used to determine if the data incident data of a data incident violates the statute. Stated otherwise, these qualifications may be used as a mathematical model of a statute. Data incident data may be evaluated in light of the model. The resultant modeling may be used to generate a risk assessment for the data incident. risk assessments may be generated by modeling the data incident data to at least one state rule and at least one federal rule]; 

obtaining data breach response prioritization data [See at least paragraph 0071, 0073, Note: the severity value meets the limitation “response prioritization data”, Modeling of the data incident data to a privacy rule (either state or federal) by the risk assessment generator 215 may result in the generation of a severity value and a data sensitivity value for the data incident. The severity value may represent the extent to which PII/PHI has been compromised, while the data sensitivity value may represent the relative sensitivity of the PII/PHI that was compromised. These two factors may independently or dependently serve as the basis for determining if a notification obligation exists. For example, if the severity value meets or exceeds a threshold amount, a notification obligation may exist. If the data sensitivity value meets or exceeds a threshold amount, a notification obligation may exist. In some instance, a notification obligation may only exist if the sensitivity value and the data sensitivity value both exceed threshold amounts. Again, the threshold amounts are specified by the particular privacy rule that is being applied to the data incident data. And paragraph 0073, risk assessment generator 215 may create a visual indicator such as a risk level or heat map that assists the entrusted entity in determining if a data incident is relatively severe or is relatively benign. This visual indicator may be included in the risk assessment. For example, a risk assessment may include a risk level that includes a visual indicator such as a colored object. In some embodiments, a hue of the object is associated with the severity of the data incident where red may indicate a severe risk and green may indicate a benign risk, with orange or yellow hues falling somewhere there-between]
; generating a response plan for the data breach by evaluating the data breach response requirements against the data breach response prioritization data [See at least paragraph 0075-0076, If the risk assessment generator 215 determines that the data incident violates one or more statutes (e.g., high severity value, PII/PHI is very sensitive, etc.), the notification module 220 may be executed to generate a notification schedule. The notification schedule may be generated based upon a data associated with the data incident. That is, the statute may specify when notification is to occur, relative to the date that PII was exposed. the notification schedule informs the entrusted entity as to what types of information are to be provided, along with the regulatory bodies to which the information should be provided. Again, the notification schedule may be generated from the statute itself. For example, a statute may specify that the data incident data (or a portion of the data incident data) collected by the input module 210 should be provided to a particular state agency within a predetermined period of time. Again, if a plurality of states have been designated or selected, the notification schedule may include notification dates for each state agency.]

; generating, based on the response plan, a graphical user interface by configuring a first set of navigation elements on the graphical user interface [See at least paragraph 0077 and figure 7-8, 0084, 0086, To assist the entrusted entity in meeting their notification obligations, the reporting module 225 may be executed to gather pertinent documents or other information from the entrusted entity and transmit these documents to the required reporting authorities. The reporting module 225 may prompt the entrusted entity to attach documents via a user interface. Once attached, these documents/data may be stored in a secured repository for submission to regulatory agency. In other instances, the entrusted entity may transmit required information directly to the regulatory agency. See 0086, FIG. 8 illustrates an exemplary GUI in the form of a state specific risk assessment page 800. The page 800 includes a risk assessment for the State of California. The state impact is shown as high and a summary of the types of PII/PHI that were exposed are summarized below the state impact indicator. Similarly to the risk assessment page 700 of FIG. 7, a notification schedule is included on the state specific risk assessment page 800. It is noteworthy that a state specific risk assessment page may be generated for each affected state (such as the affected states listed on the state specific selection and notification page 500 of FIG. 5.]



transmitting a first instruction to a user device to present the graphical user interface on the user device [See at least figure 12 see how instruction to entrusted entity/user device to present the GUI is transmitted , and paragraph 0086,  FIG. 12 illustrates an upload page 1200 that may be utilized by an entrusted entity to upload and categorize required compliance information (e.g., documents shown in FIG. 11). Files may be tagged with metadata linking them to the related federal and states risk assessments before they are stored in a content repository or transmitted to an appropriate party]; detecting a selection of a first navigation element of the first set of navigation elements [See at least paragraph 0092 and figure 13, FIG. 13 illustrates an exemplary time stamped notation and actions page 1300 that displays notes entered into the system by a particular end user. Actions may include a note that a particular employee is to be retrained and certified. Any type of related action such as a remedial action, uploading of a file, or other notification and/or compliance related action may be noted and associated with a particular risk assessment] ; and


B.	US Publication No. 2015/0294244 A1 to Bade discloses a method for estimating a severity of a current security incident reported by a customer for the customer's computer system, a processor receives from one or more administrators for a plurality of prior security incidents reported by the customer, identifications of a respective plurality of actual severities for the plurality of prior security incidents. The processor estimates, based in part on the plurality of identified actual severities of the prior security incidents, a severity of the current security incident. The processor reports the estimated severity for the current security incident. 

C. 	US Publication No. 2007/0283171 A1 to Breslin discloses a system and method for assessing the risk associated with the protection of data privacy by software application. A decision engine is provided to assess monitor and manage key issues around the risk management of data privacy. The system creates a core repository that manages, monitors and measures the data privacy assessments of applications across an institution (e.g., a corporation). The system and method employs automated questionnaires that require responses from the user (preferably the manager responsible for the application). The responses are tracked in order to evaluate the progress of the assessment and the status of the applications with respect to compliance with the enterprise's data privacy policies and procedures as well as the regulations and laws of the jurisdictions in which the application is operated. Once a questionnaire has been completed, the application is given ratings both with respect to the data privacy impact of the application and the application's compliance with the data privacy requirements. If a risk exists, a plan for reducing the risk or bringing the application into compliance can be formulated, and progress towards compliance can be tracked. Alternatively, an identified exposure to risk can be acknowledged through the system, which requires sign off by various higher level managers and administrators.
D.	NPL Document, titled, “A Model-Based Privacy Compliance Checker” by Siani Pearson (This prior art is cited in the IDS) discloses a Policy Compliance Checking System. Key requirements of this system are to: RI. model privacy policies (based on company 

E.	 US Patent No. 6,148,297 to Swor discloses an interactive system and method includes at least two subsystems: one for providing exposure and incident information to a healthcare worker and another for collecting exposure and incident data at a healthcare facility in a confidential manner. The system includes input/output devices and a processor for accessing and displaying information on a desired healthcare topic and for collecting, via a series of interactive screens, accident data for subsequent collation within a facility and/or on a multifacility scale, such as for regulatory compliance. Data collection is preferably done in a confidential manner, and a report is generated that includes a risk assessment and recommended followup procedures. The input/output devices are preferably located in close proximity to an area having a relatively high likelihood of exposures or incidents, for permitting the user ready access to desired

F.	US Patent No. 8776241 B2 to Zaitsev discloses an automatic analysis of security related incidents in computer network. The event collection module is configured to obtain incident-related information that includes event-level information from at least one he event analysis module is configured to reconstruct at least one chain of events causally related to the first incident and indicative of a root cause of the first incident based on the incident-related information. The solution module is configured to formulate at least one recommendation for use by the at least one client computer, the at least one recommendation being based on the at least one chain of events, and including corrective/preventive action particularized for responding to the first incident.

G.	US Publication No. 2014/0278539 A1 to Edwards discloses, the party-of-interest which can be a clinician and the audit events represent instances where the clinician has accessed patient electronic medical records (EMRs). For example, a healthcare facility may become suspicious of the activities of the clinician, or a patient may have filed a complaint alleging some sort of privacy breach. In response to either of these two situations, the healthcare facility may wish to view an audit log of EMR accesses during a specified time frame and details associated with each access. An intuitive and easy-to-use graphical user interface ( GUI) is needed to facilitate this process. the present invention provides for a GUI that utilizes one or more timelines configured to enable a user to select a time frame, a central node representing a party (e.g., a patient who is alleging a privacy breach), and one or more peripheral nodes representing parties-of-interest who have accessed the party's electronic records during the specified time frame. The size of the peripheral nodes indicates how frequently the party's electronic record was accessed by the node's respective party-of-interest Like above, both the 

H. 	See the other cited prior arts.

However, the above prior arts of record including the rest of the cited prior arts and the prior art submitted with IDS either taken alone or in combination neither anticipates nor renders obvious the claimed subject matter of the instant application that is taken as a whole recited in each independent claim 8 and 15.  For this reason, the specific claim limitations recited in the amended independent claims 8 and 15 taken as whole are found to be allowable.


11.	 The dependent claims 9-14, 16-17 and 19-20 which are dependent on the above independent claims 8 and 15 being further limiting to the independent claims, definite and enabled by the specification are also allowed.

12.	Any comments Applicants considers necessary must be submitted no later than the payment of the Issue Fee and to avoid processing delays, should preferable accompany the Issue Fees. Such submission should be clearly labeled "Comments on Statement of Reasons for Allowance". In event of any post-allowance papers (e.g. IDS, 312 amendment, petition, etc.), Applicant is exhorted to mail papers to the Production Control branch in Publications or faxed to post-

Conclusion

13.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMSON B LEMMA whose telephone number is 571-272-3806.  The examiner can normally be reached on M-F 8am-10pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shaw Yin Chen can be reached on 571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.	
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SAMSON B LEMMA/Primary Examiner, Art Unit 2498