DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The following is a final office action in response to communications received 04/14/2022. Claim 11 was previously cancelled. Claim 3 has been amended. Therefore, claims 1-9, 11-21 are pending and addressed below.

Response to Amendment
Applicant’s amendments and response to the claims are sufficient to overcome the Double Patenting and 35 USC 112(b) rejections set forth in the previous office action.


Response to Arguments
Applicant’s arguments filed 04/14/2022 have been fully considered but they are not persuasive. Applicant argues that (1) Enuka does not teach determining that a “credential for accessing the data resource”.

In response to argument (1), Examiner respectfully disagrees. Enuka discloses correlating each of the personal information findings in the findings file to a data subject…creating personal information records for each personal information findings that is successfully correlated to a data subject…see par. 54-55… all of the personal information findings associated with a scan of a data source may be stored in a personal information findings file or collection…each of the findings may comprise metadata associated with the found potential personal information including one or more of attribute type, a value (which may be hashed for privacy reasons), a scan ID, data source information corresponding to the data source where the personal information is stored (…name, type, location, access credentials, etc)…(Examiner interprets this as credential)…the system attempts to correlate each of the remaining personal information findings to a data subject in the identity graph…the system determines each of the data subject profiles to which a given finding’s value (Examiner interprets this as credential) maps and the total number such matches by, comparing the finding’s value to each of the personal information values stored in the identity graph…par. 67, 73. Therefore Examiner maintains that Enuka does teach and disclose this limitation.




Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-9, 11-21 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Enuka et al (Pub. No. US 2020/0050966).

As per claim 1, Enuka discloses a method comprising: receiving, by computing hardware, a data subject access request associated with a data subject (receiving data source information from a user via manual input of file upload…the system may search primary and secondary data sources for personal information attributes that have been previously associated with data subject profiles…see par. 48-50); in response to receiving the data subject access request, determining, by the computing hardware and based on the data subject access request, a data source associated with personal data of the data subject (see par. 50, 53); retrieving, by the computing hardware and based on the data source, a credential for accessing the data source; retrieving, by the computing hardware, the personal data from the data source using the credential; processing, by the computing hardware, the data subject access request based on the personal data; generating, by the computing hardware, metadata based on retrieving the personal data from the data source and processing the data subject access request; associating, by the computing hardware, the credential with the metadata in a data structure (…all of the personal information findings associated with a scan of a data source may be stored in a personal information findings file or collection…each of the findings may comprise metadata associated with the found potential personal information, including one or more of: an attribute type, a value (which may be hashed for privacy reasons), a scan ID…see par. 67-73); determining, by the computing hardware and subsequent to associating the credential with the metadata, that the credential is invalid for accessing the data source ; and preventing, by the computing hardware and based on determining that the credential is invalid for accessing the data source, the credential from being used to access the data source (…the system may filter out personal information finding that are associated with only attributes having a “low” attribute identifiability score…the system may filter out findings associated with only attributes having an attribute identifiability score of less than a minimum identifiability threshold…the system may discard any personal information findings that cannot be mapped to any data subject attributes…see par. 74-77).
	

As per claim 8, Enuka discloses a system comprising: a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer- readable medium, wherein, the processing device is configured to execute the instructions and thereby perform operations comprising: receiving a data subject access request associated with a data subject (receiving data source information from a user via manual input of file upload…the system may search primary and secondary data sources for personal information attributes that have been previously associated with data subject profiles…see par. 48-50); in response to receiving the data subject access request, identifying a data source associated with personal data of the data subject (see par. 50, 53); acquiring, based on the data source, a credential for accessing the data source; retrieving the personal data from the data source using the credential; processing the data subject access request based on the personal data; modifying, based on retrieving the personal data from the data source and processing the data subject access request, metadata associated with the credential (all of the personal information findings associated with a scan of a data source may be stored in a personal information findings file or collection…each of the findings may comprise metadata associated with the found potential personal information, including one or more of: an attribute type, a value (which may be hashed for privacy reasons), a scan ID…see par. 67-73, 86); determining, subsequent to modifying the metadata based on the metadata, that the credential is invalid for accessing the data source a credential inactivity criterion has been met; and responsive to determining that the credential is invalid for accessing the data source inactivity criterion has been met, preventing the credential from being used to access the data source (…the system may filter out personal information finding that are associated with only attributes having a “low” attribute identifiability score…the system may filter out findings associated with only attributes having an attribute identifiability score of less than a minimum identifiability threshold…the system may discard any personal information findings that cannot be mapped to any data subject attributes…see par. 74-77).

As per claim 15, Enuka discloses a non-transitory computer-readable medium having program code that is stored thereon, the program code executable by one or more processing devices for performing operations comprising: responsive to accessing a data source using a credential to process a data subject access request (receiving data source information from a user via manual input of file upload…the system may search primary and secondary data sources for personal information attributes that have been previously associated with data subject profiles…see par. 48-53), modifying metadata associated with the credential based on the access (all of the personal information findings associated with a scan of a data source may be stored in a personal information findings file or collection…each of the findings may comprise metadata associated with the found potential personal information, including one or more of: an attribute type, a value (which may be hashed for privacy reasons), a scan ID…see par. 67-73, 86); determining, subsequent to modifying the metadata, that the credential is invalid for accessing the data source; and preventing, based on determining that the credential is invalid for accessing the data source, the credential from being used to access the data source (…the system may filter out personal information finding that are associated with only attributes having a “low” attribute identifiability score…the system may filter out findings associated with only attributes having an attribute identifiability score of less than a minimum identifiability threshold…the system may discard any personal information findings that cannot be mapped to any data subject attributes…see par. 74-77).


As per claim 2, Enuka discloses subsequent to determining that the credential is invalid for accessing the data source inactivity criterion has been met, receiving, by the computing hardware, a second data subject access request associated with a second data subject; responsive to receiving the second data subject access request, acquiring, by the computing hardware, an updated credential for accessing the data source; retrieving, by the computing hardware, second personal data of the second data subject from the data source using the updated credential; and processing, by the computing hardware, the second data subject access request based on the personal data (see par. 47-49).


As per claim 3, Enuka discloses subsequent to determining that the credential is invalid for accessing the data source, receiving, by the computing hardware, a second data subject access request associated with a second data subject; responsive to receiving the second data subject access request, determining, by the computing hardware, the credential is valid for accessing the data source, retrieving, by the computing hardware and based on determining that the credential is valid for accessing the data source, second personal data of the second data subject from the data source using the credential; processing, by the computing hardware, the second data subject access request based on the second personal data; and modifying, by the computing hardware, the metadata based on retrieving the second personal data from the data source and processing the third data subject access request (see par. 47-49, 72-74).


As per claim 4, Enuka discloses generating, by the computing hardware, initial metadata based on acquiring the credential for accessing the data source, wherein; generating the metadata based on retrieving the personal data from the data source and processing the data subject access request comprises modifying, by the computing hardware, the initial metadata into the metadata (see par. 48-53).


As per claim 5, Enuka discloses wherein retrieving the credential for accessing the data source comprises: accessing a data map identifying the credential is stored for the data source; and causing retrieval of the credential from a storage location identified by the data map (see par. 54).


As per claims 6, 9, Enuka discloses wherein preventing the credential from being used to access the data source comprises deleting the credential (see par. 55).


As per claim 7, Enuka discloses wherein modifying the metadata comprises identifying at least one of a date or a time that the second personal data was retrieved from the data source (see par. 40-41).

 
As per claim 11, Enuka discloses wherein the operations further comprise: subsequent to determining that the credential is invalid for accessing the data source inactivity criterion has been met, receiving a second data subject access request associated with a second data subject; responsive to receiving the second data subject access request, acquiring an updated credential for accessing the data source; retrieving second personal data of the second data subject from the data source using the updated credential; and processing the second data subject access request based on the personal data (see par. 47-49).


As per claim 12, Enuka discloses wherein acquiring the credential for accessing the data source comprises: accessing a data map identifying the credential is stored for the data source; and retrieving the credential from a storage location identified by the data map (see par. 54).


As per claim 13, Enuka discloses wherein the operations further comprise: generating initial metadata based on acquiring the credential for accessing the data source; and modifying the metadata based on retrieving the personal data from the data source and processing the data subject access request comprises modifying the initial metadata into the metadata (see par. 48-53).


As per claim 14, Enuka discloses wherein modifying the metadata comprises identifying at least one of a date or a time that the personal data was retrieved from the data source (see par. 40-41).


As per claim 16, Enuka discloses subsequent to determining that the credential is invalid for accessing the data source, receiving a second data subject access request; responsive to receiving the second data subject access request, determining the credential is valid for accessing the data source, retrieving, based on determining that the credential is valid, second personal data from the data source using the credential; processing the second data subject access request based on the second personal data; and modifying the metadata based on retrieving the second personal data from the data source (see par. 47-49, 72-74).


As per claim 17, Enuka discloses where the operations further comprise: subsequent to determining that the credential is invalid for accessing the data source; responsive to receiving the second data subject access request, acquiring an updated credential for accessing the data source; retrieving second personal data from the data source using the updated credential; and processing, by the computing hardware, the second data subject access request based on the second personal data (see par. 47-49).


As per claim 18, Enuka discloses wherein acquiring the updated credential comprises: generating a user interface comprising a credential input element based on the data source; providing the user interface to a computing device; and receiving the updated credential via the credential input element (see par. 98-101).


As per claim 19, Enuka discloses wherein modifying the metadata comprises identifying at least one of a date or a time of the access (see par. 40-41).


As per claim 20, Enuka discloses wherein preventing the credential from being used to access the data source comprises deleting the credential (see par. 55).


As per claim 21, Enuka discloses wherein modifying the metadata based on retrieving the second personal data from the data source comprises identifying at least one of a date or a time of retrieving the second personal data from the data source (see par. 40-41).



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to preventing the credentials from being used to access the data source.

Lambert (Pub. No. US 2017/0061138); “System and Method for Secure Data Transmission and Storage”;
-Teaches transmitting segments groupings over different data routings…see par. 154.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHAZAL B SHEHNI whose telephone number is (571)270-7479. The examiner can normally be reached Mon-Fri 9am-5pm PCT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GHAZAL B SHEHNI/Primary Examiner, Art Unit 2499