DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in response to the correspondence filed on 01/30/20.  Claims 1-20 are still pending and have been considered below.

Claim Objections
Claim 1 is objected to because of the following informalities:  line 8 of the instant claim should be amended to recite “…includes [[and]] a second username…”.  Appropriate correction is required.
Claim 9 is objected to because of the following informalities:  line 1 of the instant claim should be amended to recite “…wherein the breached password…”.  Appropriate correction is required.
Claim 11 is objected to because of the following informalities:  line 1 of the instant claim recites “…an effect on the identity score of matches in to the repository is based…”, and should be amended to correct any grammatical and/or typographical errors and ensure better readability.  Appropriate correction is required.
Claim 12 is objected to because of the following informalities:  line 5 of the instant claim recites “…credentials includes the a national identifiable number…”, and should be amended to correct any grammatical and/or typographical errors and ensure better readability.  Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1 and 20 recite the limitation "the obtained set of credential data" throughout the claims.  There is insufficient antecedent basis for this limitation in the claims.  Examiner notes that the preceding claim language does not appear to establish any first instance of an “obtained set of credential data”; thus, render the claims indefinite in that it is unclear as to what the limitation in question is in reference to.
Claims 1, 8, 10, 16 and 20 recite the limitation "the entity" throughout the claims.  There is insufficient antecedent basis for this limitation in the claims.  Examiner notes that the preceding claim language appears to establish multiple separate and distinct instances of various entities (see lines 5 and 13 of Claim 1; line 4 of Claim 10; and lines 4 and 12 of Claim 20); thus, render the claims indefinite in that it is unclear as to which one the limitation in question should be in reference to.
Claims 6, 8, 10 and 18 recite the limitation "the set" throughout the claims.  There is insufficient antecedent basis for this limitation in the claims.  Examiner notes that the preceding claim language appears to establish a first instance of a “set of user-authentication credentials” in addition to a separate and distinct instance of a “set of credential data” (see lines 3 and 6 of 
Claims 8 and 11 recite the limitation "the identity score" throughout the claims.  There is insufficient antecedent basis for this limitation in the claims.  Examiner notes that the preceding claim language does not appear to establish any first instance of an “identity score”; thus, render the claims indefinite in that it is unclear as to what the limitation in question is in reference to.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 2, 4-6 and 8-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Yampolskiy et al. (2016/0248797) in view of Yedidi et al. (2017/0346797).
Claim 1:  Yampolskiy et al. discloses a tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:
obtaining, with one or more processors, a set of user-authentication credentials of a plurality of users(collecting employee credentials) [page 13, paragraph 0101], wherein:

the obtained set of credential data includes a first username and a first password both associated with a first user among the plurality of users(credentials including corporate e-mail addresses and associated passwords) [pages 5-6, paragraph 0052], and 
the obtained set of credential data includes and a second username and a second password both associated with a second user among the plurality of users [pages 5-6, paragraph 0052];
accessing, with one or more processors, a repository and determining, with one or more processors, an amount of the obtained set of user-authentication credentials in the repository(search the Internet to determine how many unique credential sets are found) [pages 5-6, paragraph 0052]; and
determining, with one or more processors, a score based on the amount of the set of user-authentication credentials in the repository [pages 5-6, paragraph 0052], wherein the score is indicative of effectiveness of cybersecurity practices of the entity and the users associated with the entity [page 2, paragraph 0019];
but does not explicitly disclose that the repository is a repository of breached credentials, wherein the repository includes credentials from a plurality of entities obtained after the entities suffered a breach.
However, Yedidi et al. discloses a similar invention [page 7, paragraph 0067] and further discloses a repository of breached credentials(compromised password database) [pages 4-5, paragraph 0045], wherein the repository includes credentials from a plurality of entities obtained after the entities suffered a breach(user accounts from other systems) [pages 6-7, paragraph 0059].
Yampolskiy et al. with the additional features of Yedidi et al., in order to detect the utilization of compromised credential and prevent malicious actors from gaining access to a user’s account(s), as suggested by Yedidi et al. [page 1, paragraph 0001 | page 4, paragraph 0043].
Claim 2:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 1, and Yampolskiy et al. further discloses wherein: the score is based on freshness of breaches such that older breaches have less of an effect on the score than newer breaches(score decays over time) [page 6, paragraph 0052].
Claim 4:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 1, and Yampolskiy et al. further discloses wherein the score, or another score determined based on the set of user-authentication credentials, is based on an amount of the user-authentication credentials determined to appear in a dictionary(commonly used insecure passwords) [page 5, paragraph 0051].
Claim 5:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 1, and Yampolskiy et al. further discloses wherein the score, or another score determined based on the set of user-authentication credentials, is based on an aggregate measure of entropy of passwords in the set of user-authentication credentials(how easy/difficult to guess passwords) [page 5, paragraph 0051].
Claim 6:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 1, and Yedidi et al. further discloses wherein the score is based on a difference in size between a run-length coding compressed versions of passwords in the set and un-compressed versions of passwords in the set(hashed password value(s) in compromised password database compared to user-provided password value) [page 6, paragraph 0052].
Claim 8:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 1, and Yampolskiy et al. further discloses wherein the operations comprise: determining, with one or more processors, a count of breached password and username combinations associated with the entity(calculate score based on how many credentials are found) [page 6, paragraph 0052]; and determining, with one or more processors, a ratio based on the count of breached password and username combinations associated with the entity and a count of total password and username combinations associated with the entity in the set, wherein the value of the identity score is based on the ratio(calculated scores normalized based on size of entity by dividing based on number of employees in the entity) [page 9, paragraph 0072].
Claim 9:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 8, and Yampolskiy et al. further discloses wherein breached password and username combinations and the total password and username combinations used to determine the ratio correspond to active password and username combinations(searching for employee credentials associated with corporate e-mail addresses) [page 6, paragraph 0052].
Claim 10:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 1, and Yampolskiy et al. further discloses wherein: the set includes a personal username and a personal password associated with the first user associated with the entity, the personal username and personal password being operative to access online resources that are controlled by a different entity(social networks); and the score is based on both personal and work credentials of employees of the entity(determine if employees are using corporate credentials for social networks) [page 5, paragraph 0051].
Claim 11:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 10, and Yedidi et al. further discloses wherein a magnitude of an effect on the identity score of matches in to the (online banking web site, social media website account, online dating website account) [pages 6-7, paragraph 0059].
Claim 12:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 1, and Yampolskiy et al. further discloses wherein: the set of user-authentication credentials is associated with a national identifiable number, a passport number, a driver’s license number, or a credit card number of the first user, the operations comprise determining the score based on whether the repository of breached credentials includes the a national identifiable number, a passport number, a driver’s license number, or a credit card number of the first user [page 3, paragraph 0028 | page 8, paragraph 0066].
Claim 13:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 1, and Yampolskiy et al. further discloses wherein the operations comprise: causing a user interface to display an indication of changes in the score over time [figure 7]. 
Claim 14:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 1, and Yampolskiy et al. further discloses wherein the operations comprise: causing a user interface to display an indication of the score [figure 7]. 
Claim 15:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 1, and Yampolskiy et al. further discloses wherein the operations comprise: causing a user interface to display a multi-dimensional set of scores, each score corresponding to a different aspect of cybersecurity practices [figure 8].
Claim 16:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 1, and Yampolskiy et al. further discloses wherein the operations comprise: obtaining, with one or more processors, historical data including a plurality of previously determined scores associated with the entity [page 8, paragraph 0064]; and predicting, with one or more processors, a future score of the 
Claim 17:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 1, and Yampolskiy et al. further discloses wherein determining the score comprises steps for determining an identity score [page 2, paragraph 0019].
Claim 18:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 1, and Yampolskiy et al. further discloses wherein: the score is based on a ratio including a weighted sum of matches between the set and entries in the repository, at least some of the matches being weighted based age of breaches(scores associated with older leaks would be lower/decayed) [page 6, paragraph 0052], and at least some of the matches being weighted based on whether the matched credentials are credentials of personal accounts of users(weigh one or more calculated security scores based on assigned weights) [page 9, paragraphs 0074-0077].
Claim 19:  Yampolskiy et al. and Yedidi et al. disclose the medium of claim 1, and Yampolskiy et al. further discloses wherein the operations comprise: steps for generating fake credentials(guessing passwords) [page 5, paragraph 0051]; and determining the score based on a determination that the fake credentials are in the repository [pages 5-6, paragraph 0052].
Claim 20:  Yampolskiy et al. discloses a method, comprising:
obtaining, with one or more processors, a set of user-authentication credentials of a plurality of users [page 13, paragraph 0101], wherein:
all of the users are associated with the same entity [page 3, paragraph 0027],
the obtained set of credential data includes a first username and a first password both associated with a first user among the plurality of users [pages 5-6, paragraph 0052], and

accessing, with one or more processors, a repository and determining, with one or more processors, an amount of the obtained set of user-authentication credentials in the repository [pages 5-6, paragraph 0052]; and
determining, with one or more processors, a score based on the amount of the set of user-authentication credentials in the repository [pages 5-6, paragraph 0052], wherein the score is indicative of effectiveness of cybersecurity practices of the entity and the users associated with the entity [page 2, paragraph 0019];
but does not explicitly disclose that the repository is a repository of breached credentials, wherein the repository includes credentials from a plurality of entities obtained after the entities suffered a breach.
However, Yedidi et al. discloses a similar invention [page 7, paragraph 0067] and further discloses a repository of breached credentials [pages 4-5, paragraph 0045], wherein the repository includes credentials from a plurality of entities obtained after the entities suffered a breach [pages 6-7, paragraph 0059].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the disclosure of Yampolskiy et al. with the additional features of Yedidi et al., in order to detect the utilization of compromised credential and prevent malicious actors from gaining access to a user’s account(s), as suggested by Yedidi et al. [page 1, paragraph 0001 | page 4, paragraph 0043].

Allowable Subject Matter
Claims 3 and 7 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Parthasarathi et al. (2016/0294854).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD ZEE whose telephone number is (571)270-1686. The examiner can normally be reached Monday-Friday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571)272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) 



/EDWARD ZEE/Primary Examiner, Art Unit 2435