Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
Information Disclosure Statement
The information disclosure statement (IDS) submitted is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments
In communications filed on 4/4/2022, claims 1-20 are presented for examination. Claims 1, 8, and 13 are independent.
Amended claim(s): 1, 2, 8, 9, 13, and 14.
Applicants’ arguments, see Applicant Arguments/Remarks filed 4/4/22, with respect to claim(s) rejected under prior art have been fully considered and are persuasive in so far as cited art of record does not disclose independent claim limitation: wherein the action comprises at least one of causing the software application to become unavailable or disabling the functionality in the software application. However, newly cited art Nico (US 8955038 B2) teaches: wherein the action comprises at least one of causing the software application to become unavailable or disabling the functionality in the software application (Nico: col.17 and col.22-23, i.e., blocking or uninstalling a software/application based on threshold)   

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 20200394327 A1 (hereinafter ‘Childress’) in view of US 10613971 B1 (hereinafter ‘Vasi’) in view of US 20190171801 A1 (hereinafter ‘Barday’) in view of US 8955038 B2 (hereinafter ‘Nico’).

As regards claim 1, Childress (US 20200394327 A1) discloses: A method comprising: scanning, by computing hardware, a software application to identify functionality configured for processing target data; (Childress: ¶14, ¶19, ¶65-¶68, i.e., analyzing applications that performs actions (i.e., functionality) on data wherein the actions includes accessing, utilizing, sharing the data)
identifying, by the computing hardware, a plurality of fields associated with the functionality; (Childress: ¶21, ¶66, i.e., data identifiers (i.e., fields) associated with different data types)
However Childress does not but in analogous art Vasi (US 10613971 B1) teaches: identifying, by the computing hardware, metadata associated with a field from the plurality of fields; (Vasi: Figs. 1-4, col.3:55 to col.4:46, i.e., analyzing the website form including the metadata associated with the fields, and the data types associated with the fields)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Childress to include analyzing a software application such as a website for metadata associated with the fields and the data types associated with the fields as taught by Vasi with the motivation to perform testing of the website for errors (Vasi: Figs. 1-4, col.3:55 to col.4:46)  
Childress et al combination further discloses: generating, by the computing hardware and from the metadata, an identification of a type of data associated with the field using at least one of a rules-based model or a machine-learning model; (Childress: ¶14, ¶20-¶21, i.e., analysis is based on the governance model. See also, Vasi: Figs. 1-4, col.3:55 to col.4:46 i.e., analyzing the website form including the metadata associated with the fields, and the data types associated with the fields wherein the analysis is defined by the style of coding i.e., rule, such as HTML, CSS, PHP, and so forth)  
determining, by the computing hardware, a location based on the processing of the target data by the functionality; (Childress: ¶4, ¶23, i.e., the location of the data)
determining, by the computing hardware, a risk associated with the functionality processing the target data based on the location and the type of data for the field; (Childress: ¶12-¶13, ¶23, ¶69, i.e., determining risk of an application with GDPR compliance based on data type and location)
However, Childress et al do not but in analogous art, Barday (US 20190171801 A1) teaches: determining, by the computing hardware and based on at least one of the functionality or the type of data for the field, a threshold level of risk; determining, by the computing hardware, that the risk satisfies the threshold level of risk; and (Barday: Figs. 5-6, ¶80-¶93, i.e., risk level calculation wherein the risk level is determined based on data type, location, and other factors wherein the risk level is assigned based on a threshold of low, medium, or high wherein, ¶100-¶107, based on the determined risk level performing a remedial action)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Childress et al to include risk level calculation wherein the risk level is determined based on data type, location, and other factors wherein the risk level is assigned based on a threshold of low, medium, or high as taught by Barday with the motivation to provide a privacy risk assessment (Barday: Figs. 5-6, ¶80-¶93)  
Childress et al combination further discloses: responsive to determining that the risk satisfies the threshold level of risk, causing, by the computing hardware, an action to be performed to mitigate the risk. (Childress: ¶58, ¶62-¶64. See also, Barday: Figs. 5-6, ¶80-¶93, i.e., risk level calculation wherein the risk level is determined based on data type, location, and other factors wherein the risk level is assigned based on a threshold of low, medium, or high wherein, ¶100-¶107, based on the determined risk level performing a remedial action, ¶250-¶274)
Childress et al do not but in analogous art, Nico (US 8955038 B2) teaches: wherein the action comprises at least one of causing the software application to become unavailable or disabling the functionality in the software application (Nico: col.17 and col.22-23, i.e., blocking or uninstalling a software/application based on threshold)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Childress et al to include blocking/uninstalling a software based on a vulnerability threshold level as taught by Nico with the motivation to provide immediate protection against security attacks (Nico: col.23)   

Claims 8 and 13 recite substantially the same features recited in claim 1 above and are rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 2, Childress et al combination discloses the method of Claim 1, wherein the action also comprises generating an electronic communication sent to personnel identifying the functionality and the risk. (Childress: ¶58, ¶62-¶64. See also, Barday: Figs. 5-6, ¶37, i.e., sending risk alerts, ¶80-¶94, i.e., risk level calculation wherein the risk level is determined based on data type, location, and other factors wherein the risk level is assigned based on a threshold of low, medium, or high and notifying personnel wherein, ¶100-¶107, based on the determined risk level performing a remedial action, ¶250-¶274)

Claims 9 and 14 recite substantially the same features recited in claim 2 above and are rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 3, Childress et al combination discloses the method of Claim 1, wherein the risk comprises at least one of a risk of experiencing a data privacy incident due to the functionality processing the target data and a risk of being noncompliant with a data privacy standard due to the functionality processing the target data. (Childress: ¶12-¶13, ¶23, ¶58, ¶62-¶69, i.e., determining risk of an application with GDPR compliance based on data type and location. See also, Barday: Figs. 5-6, ¶80-¶93, i.e., risk level calculation wherein the risk level is determined based on data type, location, and other factors wherein the risk level is assigned based on a threshold of low, medium, or high wherein, ¶100-¶107, based on the determined risk level performing a remedial action, ¶250-¶274)

Claims 10 and 16 recite substantially the same features recited in claim 3 above and are rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 4, Childress et al combination discloses the method of Claim 1 further comprising: determining, by the computing hardware, a vendor associated with the functionality based on metadata associated with the functionality (Barday: Fig. 1, 3, ¶54-¶61), wherein the location is a jurisdiction in which the vendor processes data and processing of the target data by the functionality involves transferring the target data to the location. (Childress: ¶12-¶13, ¶23, ¶58, ¶62-¶69, i.e., determining risk of an application with GDPR compliance based on data type and location. See also, Barday: Figs. 5-6, ¶38, ¶80-¶93, i.e., risk level calculation wherein the risk level is determined based on data type, location, and other factors wherein the risk level is assigned based on a threshold of low, medium, or high wherein, ¶100-¶107, based on the determined risk level performing a remedial action, ¶250-¶274)

Claims 11 and 17 recite substantially the same features recited in claim 4 above and are rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 5, Childress et al combination discloses the method of Claim 1, wherein the software application comprises a website and the functionality comprises a webform found on the website in which at least one of the plurality of fields is used on the webform to collect the target data. (Vasi: Figs. 1-4, col.3:55 to col.4:46, i.e., analyzing the website form including the metadata associated with the fields, and the data types associated with the fields)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Childress to include analyzing a software application such as a website for metadata associated with the fields and the data types associated with the fields as taught by Vasi with the motivation to perform testing of the website for errors (Vasi: Figs. 1-4, col.3:55 to col.4:46) 

Claim 18 recites substantially the same features recited in claim 5 above and is rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 6, Childress et al combination discloses the method of Claim 1, wherein the software application comprises a mobile application and the functionality comprises a graphical user interface provided through the mobile application in which at least one of the plurality of fields is used on the graphical user interface to collect the target data. (Childress: Fig. 1, ¶13)

Claim 19 recites substantially the same features recited in claim 6 above and is rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 7, Childress et al combination discloses the method of Claim 1, wherein determining the risk associated with the functionality processing the target data based on the type of data for the field and the location involves using at least one of a second rules-based model or a second machine learning model to generate the risk, wherein the risk represents a likelihood of experiencing at least one of a data privacy incident due to the functionality processing the target data or being noncompliant with a data privacy standard due to the functionality processing the target data. (Childress: ¶12-¶13, ¶23, ¶58, ¶62-¶69, i.e., determining risk of an application with GDPR compliance based on data type and location. See also, Barday: Figs. 5-6, ¶38, ¶80-¶93, i.e., risk level calculation wherein the risk level is determined based on data type, location, and other factors wherein the risk level is assigned based on a threshold of low, medium, or high wherein, ¶100-¶107, based on the determined risk level performing a remedial action, ¶250-¶274)

Claims 12 and 17 recite substantially the same features recited in claim 7 above and are rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 15, Childress et al combination discloses the non-transitory computer-readable medium of Claim 13, wherein identifying the type of data associated with the functionality based on the metadata involves processing the metadata using at least one of a second rules-based model or a second machine learning model to generate an identification of the type of data associated with the functionality. (Childress: ¶14, ¶20-¶21, i.e., analysis is based on the governance model. See also, Vasi: Figs. 1-4, col.3:55 to col.4:46 i.e., analyzing the website form including the metadata associated with the fields, and the data types associated with the fields wherein the analysis is defined by the style of coding i.e., rule, such as HTML, CSS, PHP, and so forth)  

As regards claim 20, Childress et al combination discloses the non-transitory computer-readable medium of Claim 13, wherein the data incident comprises at least one of a data privacy incident due to the functionality processing the target data or a risk of being noncompliant with a data privacy standard due to the functionality processing the target data. (Childress: ¶12-¶13, ¶23, ¶58, ¶62-¶69, i.e., determining risk of an application with GDPR compliance based on data type and location. See also, Barday: Figs. 5-6, ¶80-¶93, i.e., risk level calculation wherein the risk level is determined based on data type, location, and other factors wherein the risk level is assigned based on a threshold of low, medium, or high wherein, ¶100-¶107, based on the determined risk level performing a remedial action, ¶250-¶274)

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED A ZAIDI whose telephone number is (571)270-5995. The examiner can normally be reached Monday-Thursday: 5:30AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SYED A ZAIDI/Primary Examiner, Art Unit 2432