DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Notice for all US Patent Applications filed on or after March 16, 2013
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Response to Arguments

Applicant’s arguments, see applicant’s remarks, filed 2/7/22, with respect to rejections under 35 USC 103 for claim(s) 1-20 have been fully considered but they are not persuasive as far as they apply to the amended 102 and 103 rejection(s) below.

Applicant respectfully traversed the rejection on pg. 1-7.
The Examiner respectfully disagrees because elements 1-4 (remarks pg 3) are simply directed to risk management of processes utilizing personal data.  The abstract idea covers a method of organizing human activity (commercial or legal interactions including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations) is at least a legal obligation as noted in instant specification [0002-0004] where a company is adhering to a legal obligations for risk management of processes utilizing personal data.
The claims here are not like those the Federal Circuit (Court) found patent eligible in Core Wireless because the claims here are not directed to an improved user interface for computing devices such as a particular manner of summarizing and presenting information in electronic devices. For example the claims here do not require “restraining the type of data that can be displayed in the summary window or that the summary window “is displayed while the one or more applications are in an un-launched state,” a requirement that the device applications exist in a particular state.” The claims here do not disclose “limitations disclose a specific manner of displaying a limited set of information to the user, rather than using conventional user interface methods to display a generic index on a computer.”
those the Federal Circuit (Court) found patent eligible in Finjan because the claims here are not directed to performing a "behavior-based" virus to produce the security profile was a specific improvement over the traditional "code-matching" virus scans.
The claims here are not like the Rubber Manufacturing example as her, via a computer, the data is merely received, analyzed, and the analysis presented.
There does not appear to be GUIs in the claims.

Thus, the arguments are unpersuasive.

Applicant’s arguments, see applicant’s remarks, filed 2/7/22, with respect to rejections under 35 USC 103 for claim(s) 1-20 have been fully considered but they are not persuasive as far as they apply to the amended 102 and 103 rejection(s) below.

Applicant respectfully traversed the rejection on pg. 7-33.
The Examiner respectfully disagrees because generally applicant argues each prior art reference doesn’t teach all limitations and that each prior art reference is not cited in a manner where applicant can understand the citation.  The citations (for independent claims and other specifically argued claims) have additional explanation as requested and the prior art still teaches the limitation in question.  Furthermore, the applicant has not a) explained why each reference does not teach the limitations in question, b) provided an explanation regarding what the applicant believes each does teach, nor c) provided an explanation why the teaching of each reference is not each limitation in question. Thus, the argument(s) are unpersuasive.
Additionally, the requirements for a proper response to a rejection may be found in 37 CFR 1.111(b) and MPEP § 707.07.  The remarks do not provide any specific reasons as to why either the findings of fact or the legal conclusions of anticipation and obviousness are allegedly in error.  The legal decisions cited discuss various aspects of anticipation and obviousness analyses, but Applicant’s remarks are only generalizations not tied to the facts of the cases.  Thus, the remarks in response to the obviousness rejection do not comply with 37 CFR 1.111(b) and MPEP § 707.07.  Therefore, Applicant’s reply is not accepted as a complete response.

It is unclear if some of the cases cited are from the PTAB, however PTAB decisions are not binding on examiners.

Zimmerman teaches coded standard of rules [0454] A report like that shown in 4202 … may also involve developing a compound index.
Regarding the independent claim, the features upon which applicant relies (i.e., “Zimmerman does not provide a dynamic application and specifically disclosed that a data privacy office must manually define a policy to have privacy regulations, such as HIPAA, applied, as in paragraph 361” – remarks pg 13) are not recited in the rejected claim(s) as the claim(s) only recite(s) applying a set of rules associated with the coded standard against the modeled data process to provide a risk assessment to the coded standard of a severity level of risk generated by the data process to the coded standard.  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Applicant has not acted as his or her own lexicographer to specifically define or redefine data objects in the instant specification [0065] as only an example is given “in the present example, there are five data objects”.  Thus the broadest reasonable interpretation is being used.
Furthermore, a) the independent claim is broad, b) Zimmerman’s focus therefore is covered under the broad claim, and c) other arguments on pg. 13-14 are on features not in the independent claim.

Regarding the dependent claims under the 102 rejection, here specifically the remarks do not provide any specific reasons as to why either the findings of fact or the legal conclusions of anticipation and obviousness are allegedly in error.

Regarding the argument on one of ordinary skill for 103 in general, specifying a particular level of skill is not necessary where the prior art itself reflects an appropriate level of skill (see MPEP 2141.03 (II)). Furthermore, as explained below in this Office Action in the rejections under 35 U.S.C. 103, the Office provided the necessary rationale under KSR as one of teaching, suggestion, or motivation in the prior art that would have led one of ordinary skill to modify the prior art reference or to combine prior art reference teachings to arrive at the claimed invention (see MPEP 2141(II)(C)(III)(G)).

Regarding claim 7, 14, and 20, specifically Zimmerman and Muddu being non-analogous, the examiner disagrees because the instant application, Zimmerman, and Muddu are all directed to detecting breaches in policy and the claims in question are not directed to personal data policy breach detection.
Regarding the features upon which applicant relies (i.e., “First, … the claimed invention automatically allows access based on the latest version of the coded standards and depending on the coded standard that applies to the data object.” – remarks pg 26) are not recited in the rejected claim(s) as the claim(s) only recite(s) obtaining (not automatically accessing …) an updated model … .  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
There is merely an allegation that Muddu only makes the breach/non-breach call as no additional support is provided.
Applicant argues circular logic for the modification of Zimmerman with Muddu however Zimmerman’s security of sensitive data in enterprises covers more areas of concern (threat management) than Muddu and those areas include Muddu’s behavior analysis (see at least Zimmerman [0012] ).  Thus if the applicant had taken into account all of the teachings of both Zimmerman and Muddu, the applicant would have realized that the modification of the teachings of Zimmermann in view of the teachings of Muddu renders a suitable combination.

Regarding claim 8 arguments of Zimmerman and Sher-Jan, again the remarks do not provide any specific reasons as to why either the findings of fact or the legal conclusions of anticipation and obviousness are allegedly in error.
Regarding claim 8, it is unclear what is unclear in the citation of Sher-Jan as the citation and [0006] in combination clearly states all elements of the claim.  The limitation merely requires an entity to protect personal data based on a coded standard that is a combination of multiple jurisdictions.  The citation clearly states that “at least one” of multiple jurisdictions and [0006] explains the jurisdictions are applied to “the data incident further including the intentional or unintentional compromise, disclosure or release of personal data, personally identifiable information”.
Regarding the features upon which applicant relies (i.e., “set of rules associated with the coded standard which represent standards from multiple jurisdictions applicable to entity against the modeled data process to provide a risk assessment to the coded standard of a degree of data-related risks generated by the data process” – remarks pg 31) are not recited in the rejected claim(s) as the claim(s) only recite(s) wherein the set of rules associated with the coded standard represent standards from multiple jurisdictions potentially applicable to an entity for protecting personal data.  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Regarding Zimmerman and Sher-Jan being non-analogous, again the features upon which applicant relies are not cited in the claims in question.  The instant application, Zimmerman, and Sher-Jan are all directed to detecting breaches in policy.  Zimmerman’s security of sensitive data in enterprises (such as “regulations such as PCI DSS, HIPAA, HITECH, SOX, CIPA, FISMA, and FERPA” and “compliance criteria (e.g., relating to SSN, credit card, regulations on content of documents”) covers more areas of concern (threat management) than Sher-Jan and those areas include Sher-Jan’s personal data policy breach detection which in Zimmerman is incident management (see at least Zimmerman [0012, 0117, 0382] ).

Thus, the arguments are unpersuasive.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim(s) 1-20 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.

The limitation(s) below for representative claim(s) 1, 9, and 15, as drafted, is/are a process (claim(s) 1 recites a series of steps) and system (claim(s) 9 and 15 recites a series of components) that, under its broadest reasonable interpretation, is an abstract idea directed to risk management of processes utilizing personal data.

The claims are found to recite limitations that set forth the abstract idea(s) in the following representative claim(s):
Claim 1: obtaining a model of the data process, the model including an identified purpose of the data process and identified nodes representing data objects interconnected with identified edges representing data flows; and
applying a set of rules associated with the coded standard against the modeled data process to provide a risk assessment to the coded standard of a severity level of risk generated by the data process to the coded standard.
Claim 9 and 15: the same analysis as claim(s) 1.

The abstract idea covers a method of organizing human activity (commercial or legal interactions including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations).
The additional elements unencompassed by the abstract idea include data processing system comprising: a processor; and a memory (claim(s) 9), system comprising: a memory device with computer-readable program code stored thereon; a communication device; a processing device operatively coupled to the memory device and the communication device (claim(s) 15).
The abstract idea is not integrated into a practical application because the implementation of the abstract idea by the additional elements fails to describe:
Improvements to the functioning of a computer, or to any other technology or technical field - see MPEP 2106.05(a)
Applying or using a judicial exception to effect a particular treatment or prophylaxis for a disease or medical condition – see Vanda Memo
Applying the judicial exception with, or by use of, a particular machine – see MPEP 2106.05(b)
Effecting a transformation or reduction of a particular article to a different state or thing - see MPEP 2106.05(c)
Applying or using the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception - see MPEP 2106.05(e) and Vanda Memo.
The aforementioned additional elements (as additionally noted by instant specification [0017-0019]) merely serve as the computer on which the abstract idea is implemented. See MPEP 2106.05(f).
The claim(s) do/does not include limitation(s) sufficient, either alone or in combination, to amount to significantly more than the claimed abstract idea because the aforementioned additional elements essentially make up the computer on which the abstract idea is implemented. See MPEP 2106.05(f).
None of the dependent claims when separately considered in combination with each dependent claims parent claim(s) overcome the above analysis and are therefore similarly rejected as being ineligible.
Claim(s) 2-8, 10-14, and 16-20 add to or further define the abstract idea of claim(s) 1, 9, and 15 with additional steps to a) obtain profile of entity and apply second sets of rules to profile, receive likelihood of risk corresponding to severity and combine severity with likelihood of risk to provide an assessment, and generate a set of tasks to reduce risk, obtain updated model based on task completion, and apply rules to updated model and/or and/or b) further define coded standard, personal data, and set of rules.  These claim(s) do not recite additional elements beyond claim(s) 8 and those element(s) are addressed above.

Claim Rejections - 35 USC § 102

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-6, 9-13, and 15-19 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Zimmermann et al. (US 2018/0027006 A1).

Regarding claim 1, 9, and 15, Zimmermann teaches a method of performing a risk assessment, to a coded standard, of data-related risk within a data process comprising:
obtaining a model of the data process, the model including an identified purpose of the data process and identified nodes representing data objects interconnected with identified edges representing data flows [see at least [0327] computer system that operates the following functionality “the methods and systems disclosed herein may include one or more modules, associated with or as part of a cloud security fabric, for providing content inspection and analysis 110 (including metadata) (referred to herein in some cases ad content analysis). Referring to FIG. 9, architectural components and data flows for a content analysis service are disclosed, which may be housed in a cloud computing environment, such as the AWS.TM. environment of AmazonRTM. These components yield end-to-end textual content analysis and similar components can be deployed in connection with other content types,”; [0363] obtain a model (policy), the model provides exposure criteria for various data including consumer data or the like (identified purpose) and how criteria’s policies need to be expressed in order to be executed (identified nodes representing data objects interconnected with identified edges representing data flows) and the model may be converted/translated for external systems “the policy automation engine 116 may take serve as a platform for taking exposure criteria from third party platforms, such as for rapid onboarding of a set of policies of an enterprise. … The policy automation engine 116 may then generate a user interface that reflects the available criteria (e.g., exposure criteria) that are available for that platform, as well as information about how policies need to be expressed in order to be executed on the platform.” And “A model for each platform may be associated with a centralized, or canonical model, such that translation may occur between a platform-specific policy model and a centralized model, such as translating the expression of a particular policy from an abstracted, or canonical representation, into an expression appropriate for the native environment”]; and
applying a set of rules associated with the coded standard against the modeled data process to provide a risk assessment to the coded standard of a severity level of risk generated by the data process to the coded standard [see at least 
[0109] the data gathered (in [0363]) is not just the model but also application and user’s data and the application and user data is scanned “The extent and complexity of data collection for the CSF 100 varies. A comprehensive approach may involve scanning the entire file structure of an enterprise to obtain an extensive picture of the users, data, accounts, applications and the like. When one scans for all of that material, it is a very structured, highly intensive service. One enumerates the users, and for all the users, one scans and knows their files. One can also scan for file metadata, apply rules on the metadata, and pull down content for scanning,”;
[0454] risk assessment report including severity (risk level) based on the model (of [0363]) that utilizes rule (compound index) “FIG. 42 shows an example of a portion of shadow IT report 4202 that lists some of the applications used by the users of an enterprise in the cloud and on its network, along with a subset of the various types of information that may be available from the application index 2912, such as an indication of the risk level of the application (such as determined by risk rating 2930), the access risk (i.e., the level of access the application requests, such as "full data access" versus access to limited data or no data), the community trust rating for each application, the category of the application, a predictive risk level (which may reflect the probability that the application is being used, the probability that there are users who in addition to regular usage granted access to enterprise assets (e.g., OAuth-based) for the application, or the like, as well as the community trust rating, which in turn reflects the probability that the application was used, that the application was actually granted access for this enterprise, or the like), … A report like that shown in 4202 may be the result of the process described in connection with FIG. 28, and it may also involve developing a compound index …” ].

Regarding claim 2, 10, and 16, Zimmermann teaches the method of claim 1 further comprising:
obtaining a profile of the entity including location and type of entity [see at least [0125] "The UBA platform 500 may also enable various operational and forensic capabilities, such as supporting searches (e.g., by user, by location, by application, by type of event, etc."; [0209] "the UBA platform 500 may have a pre-PE stage that may do most filtering and that may pass a trickle of certain types of events into the PE. The UBA platform 500 may have pass-through policies that may create incidents for inbound events. The UBA platform 500 may also have possible additional rules such as relating to frequency, location, profile and business hours”];
applying a second set of rules associated with the coded standard against the profile of an entity to determine whether the coded standard applies to that entity [see at least [0179] "Data processing and QoS functions may enable processing of data from each tenant separately from the data of other tenants, and, other than for the purpose of providing anonymized statistics, prevent the workload of one tenant to starve or adversely affect the processing of the workloads of other tenants and provide useful means to gauge processing costs for each tenant, on a per-tenant basis. QoS functions may also be applied at the user level (such as processing one user's events faster than others if that user has a higher risk level). Configuration and control may allow each tenant to select which detection policy to apply for the processing of the data of the tenant, as well as allow each tenant to configure thresholds and other input parameters to be applied to the policies of the tenant. Detection policy selection may also be configurable per source,"].

Regarding claim 3, 11, and 17, Zimmermann teaches the method of claim 1 wherein the coded standard is directed to protecting personal data of individuals and the risk assessment is directed to assessing data-related risk to the personal data of those individuals [see at least [0455] "Access level attributes can include various attributes of an application that can create risk, such as the following: "access contacts," meaning the application requests access to contracts information (which may be considered a medium risk attribute); "access full data," meaning the application requests full access (read/write) to data or files (which may be considered a high risk attribute); "access limited data," meaning the application requests access to a limited portion of the data (which may be considered a medium risk application); "access payment info," meaning the application requests access to payment information (which may be considered a high risk factor); "impersonation," meaning the application requests use of impersonation to access user data (which may be considered a medium or high risk attribute); "manage devices," meaning the application requests to manage the allowed devices (which may be considered a medium risk attribute); "manage user data," meaning the application requests to control user attributes (which may be considered a high risk attribute); "read basic information," which means the application requests read access to the user's basic identification information (which may be considered a low or medium risk attribute); "read data," meaning the application requests read access to portions of the data (which may be considered a medium risk attribute); "read location," meaning the application requests read access to the user's location (which may be considered medium risk); "read personal information," meaning the application requests read access to basic identification information (which may be considered a low risk attribute); and any other attributes of applications that reflect the capability of applications to read or access data of a user, a device, or an enterprise,"].

Regarding claim 4, 12, and 18, Zimmermann teaches the method of claim 3 wherein the personal data is sensitive personal data [see at least [0361] “a user may want to apply a consistent policy across the organization and all of its cloud-based applications with respect to personally identifiable information (PII), PCI, HIPPA-regulated information, intellectual property, and other sensitive types of data”].

Regarding claim 5 and 17, Zimmermann teaches the method of claim 1 wherein the coded standard is directed to protecting security data managed by entities and the risk assessment is directed to assessing data-related risk to the security data managed by those entities within the data process (wherein the coded standard is directed to protecting personal data of individuals and the risk assessment is directed to assessing data- related risk to the personal data of those individuals - claim 17) [see at least [0102] "The enterprise API 104 family may include a variety of APls 104 by which an enterprise may benefit from connection or interaction with the CSF 100, including to receive outputs and results from each of the modules or components of the CSF 100, to deliver results and inputs to the CSF 100, and the like. These enterprise APls 104 may include sets of APIS for managing and handling incidents, policies, configuration, reporting, provisioning of users and accounts and the like. Thus, this family of enterprise APls allows partners to integrate the CSF 100 and each of its distinct capabilities into various enterprise systems and work flows. By way of example, the enterprise APls may permit an enterprise to pull down incidents recognized in the CSF 100 into a security information and event management (SIEM) system of the enterprise, such that the incidents can be treated like incidents occurring on other enterprise resources, such as an on premises network or can be otherwise handled as desired in the specific security framework of a particular enterprise.";
[0361] “a user may want to apply a consistent policy across the organization and all of its cloud-based applications with respect to personally identifiable information (PII), PCI, HIPPA-regulated information, intellectual property, and other sensitive types of data”].

Regarding claim 6, 13, and 19, Zimmermann teaches the method of claim 1 further comprising:
receiving a likelihood level of risk corresponding to the severity level of risk [see at least [0106] “In embodiments, information from the enterprise APIs 104 can be used for enrichment. Based on the enterprise APIs 104 the host of the CSF 100 can enrich information from external sources. … Similarly, one can take information from an external reputation system and augment the data (such as adding policy criteria, reports on incidents, etc.)”;
[0447] “FIG. 39 shows an example of a report 3902 that provides a breakdown of the cloud applications used by an enterprise according to levels of risk. It shows the applications discovered, the number of requests for access to each application that were discovered, the amount of traffic involved in usage of the application, and the risk score for the application. The report also shows a probability or predictive score, which may indicate the probability that users of the enterprise have actually installed the application, the probability that usage of the application will create a problem, or the like. The probability or predictive score may be different from the base risk score for the application in the case of a particular enterprise, such as because the application is involved in a large number of requests for access (as in the case of LastPass™ in the report 3902), or there is a higher amount of traffic for the application (as in the case of Slack™ in the report 3902). The probability or predictive score may be useful in situations where incomplete information is available, such as where a user is not fully allowing the monitoring of all applications.”]; and
combining the severity level of risk with the likelihood level of risk to provide an overall risk assessment [see at least [0426] “The information collected about application usage can be used, together with the other information gathered and organized at the step AFW-208, to provide various metrics about the application, such as an overall score (e.g., a risk score, or a trust rating) for the application, or a score for particular attributes of the application (such as the reputation of its vendor, the level of risk of creating a data breach, the level of risk of enabling a hacker to exploit a vulnerability, or the like). The overall scores for various applications or the component factors can be used for benchmarking purposes, such as to help an enterprise understand a level of risk relative to other similar enterprises with respect to use of a particular application, a class of applications, or applications in general, or to provide an understanding of which users within the enterprise are undertaking usage of risky applications, or undertaking risky behaviors within or with applications, as compared to other users in the enterprise or other users across the enterprises that use the CSF 100.”].

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

It has been held that a prior art reference must either be in the field of applicant’s endeavor or, if not, then be reasonably pertinent to the particular problem with which the applicant was concerned, in order to be relied upon as a basis for rejection of the claimed invention.  See In re Oetiker, 977 F.2d 1443, 24 USPQ2d 1443 (Fed. Cir. 1992).

Claim(s) 7, 14, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zimmermann as applied to claim(s) 6, 13, and 19 above and further in view of Muddu et al. (US 2018/0054452 A1).

Regarding claim 7, 14, and 20, Zimmermann teaches the method of claim 6 further comprising:
responsive to the overall risk assessment being at a high level, generating a set of tasks to be performed for reducing the overall risk assessment [see at least 
[0114] risk assessment triggers remediation tasks “policy automation services 116 (which include a rule engine that detects if sensitive data, such as intellectual property, PCI, PHI and/or PII, is being shared inappropriately within and outside of the organization and a workflow engine that can execute a sequence of tasks such as remediation tasks)” ].

Zimmerman doesn’t/don’t explicitly teach but Muddu discloses
responsive to completion of the set of tasks, obtaining an updated model of the data process upon completion of the set of tasks [see at least [0151] an updated model (“in order to update and improve the models”) in response to tasks (“to automatically trigger an action”) and user decision (“in addition to automatically taking action based on the discovered anomalies and threats, the decisions by the user … can then be provided as feedback data in order to update and improve the models”)
“The anomalies and threats detected by the real-time processing path may be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer, shutting down software and or hardware processes, and the like. … As an alternative or in addition to automatically taking action based on the discovered anomalies and threats, the decisions by the user (e.g., that the anomalies and threats are correctly diagnosed, or that the discovered anomalies and threats are false positives) can then be provided as feedback data in order to update and improve the models.”]; and
applying the set of a set of rules associated with the coded standard against the updated model to provide an updated risk assessment of the severity and likelihood level of risk [the limitation is interpreted based on broadest reasonable interpretation of instant specification [0056-0057] where the user not the system provides the likelihood level of risk both initially and after updating,
 [0613] “As with anomaly scores, a feature score can represent a quantified evaluation of the risk associated with a particular entity based on a particular analysis. Accordingly, the models used to generate feature scores may depend on additional available (e.g. through enrichment 6922) data associated with an entity.”].
It would have been obvious to one of ordinary skill in the art to combine the data security system of Zimmermann with the support for updating models following risk remediation tasks of Muddu, because Zimmermann and Muddu are directed to systems and methods for data security. Furthermore, users benefit from systems and methods adapted for updating models following risk remediation tasks, because such systems and methods allow for refining security models via feedback as risks are discovered and remediated [see at least Muddu [0151] ].

Claim(s) 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zimmermann as applied to claim(s) 1 above and further in view of Sher-Jan (US 2017/0206376 A1).

Regarding claim 8, Zimmermann teaches the method of claim 1.

Zimmerman teaches using multiple regulations to determine risk and implies but doesn’t/don’t explicitly teach the regulations being used in combination however Sher-Jan discloses
wherein the set of rules associated with the coded standard represent standards from multiple jurisdictions potentially applicable to an entity for protecting personal data [see at least [0006] “the data incident further including the intentional or unintentional compromise, disclosure or release of personal data, personally identifiable information … generate a risk assessment from a comparison of the data incident data to privacy rules, the privacy rules comprising at least one federal rule, at least one state rule, and at least one European General Data Privacy Regulation (GDPR) rule, each of the rules defining requirements associated with data incident notification laws”].
It would have been obvious to one of ordinary skill in the art to combine the data security system of Zimmermann with the support for rules based on different jurisdictions and laws of Sher-Jan, because Zimmermann and Sher-Jan are directed to systems and methods for data security.  Furthermore, users benefit from systems and methods adapted for rules based on different jurisdictions and laws, because such systems and methods allow for generating risk assessment based on different local privacy rules [see at least Sher-Jan [0006] ].

Conclusion

When responding to the office action, any new claims and/or limitations should be accompanied by a reference as to where the new claims and/or limitations are supported in the original disclosure.

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Beeri et al. – WO 2016138067 A1 (relevant because it teaches translating risk policies from an external source to the system of Zimmerman and running one of the translated risk policies on the system of Zimmerman based on at least regulation of data privacy)
Shanker – Big data security analysis and secure Hadoop server (relevant because it teaches protecting user data including regulations and compliance)

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP §706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES WEBB whose telephone number is (313)446-6615.  The examiner can normally be reached on M-F 10-3.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jerry O’Connor can be reached on (571) 272-6787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/J.W./Examiner, Art Unit 3624                                                                                                                                                                                                        /PATRICIA H MUNSON/Supervisory Patent Examiner, Art Unit 3624