Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Detail Action
This office action is response to the application 17/091,622 filed on 11/06/2020. Claims 1-20 are pending in this communication.

Priority
This application claims priority from US PRO 62/932,638 11/08/2019. Priority date has been accepted.

Examiner’s Note
The examiner is requesting the applicant’s representative to provide direct phone number and email address in next communication, which will be very helpful to advance the prosecution.
Generally the text that are italicized are claims; the text that are in bold are reference citations (with some obvious exception); the text which is neither italicized nor bolded are by the examiner.
The Examiner used figures, paragraph and line numbers from the instant application’s pre-grant publication or pdf copy of allowance. In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-12 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter software, per se.
Regarding independent claim 1 (& 6); the claim calls for a system; however, there is no hardware element found within the claimed system. As recited in the body of the claim, the claimed device contains “a server comprising at least one computer processor”. Regarding the claimed processors, the specification does not explicitly define that the claimed processors are only implemented in hardware. Also, the specification does not explicitly exclude propagate signals from the claimed medium. One of ordinary skill in the art would understand that a ‘processor’ could be a software processor (See “The Authoritative Dictionary of IEEE Standards Terms,” Seventh Edition, published in 2000).  See Ex parte Mewherter, 107 USPQ2d 1857, 1862.   As the body of the claim does not positively recite any hardware embodiment, the claim is directed to non-statutory subject matter.  The nominal recitation of the server/ computer with an absence of a hardware element in the body of the claim fails to make the claim statutory under 35 USC 101.  See Am. Med. Sys., Inc v. Biolitec, Inc., 618 F.3d 1354, 1358 (Fed. Cir. 2010).    The Examiner respectfully suggests that the claim be further amended to positively recites at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101. This rejection could be overcome by language like ‘hardware processor’ or ‘processor coupled to memory’ etc.

Claim Rejections - 35 USC § 103
The following is a quotation of AIA  35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-10 are rejected under AIA  35 U.S.C. 103 as being unpatentable over COGGESHALL; Stephen et al., Pub. No.: US 2013/0333048 A1 in view of RUBIN; Moshe et al., Pub. No.: US 2005/0240999 A1 and further in view of MAHAFFEY; Kevin Patrick et al., Pub. No.:  US 2016/0099963 A1.

Regarding Claim 1, COGGESHALL discloses a system comprising:
a server comprising at least one computer processor {[0032], “FIG. 2 also illustrates the identity manipulation detection system 100. The identity resolution and manipulation detection computer 120 comprises a processor 225 for analyzing the identity records stored in the ID network database 110”} configured … to identify toxic combinations of personal information in at least one of a database and computer code {ABS. & [0043], “The processor 225 also calculates the attributes of the person, where the attributes include the person's identity information and all variations used. Improper manipulations can be determined by the variations of the personal identifying information, combined with running an algorithm to identify bad manipulations”. Also see [0048]};
COGGESHALL, however, does not explicitly disclose
… with one or more rulesets, the one or more ruleset being configured …
the server further comprising a user interface configured to provide actuation of a scan of the database and computer code and to display results of the scan;
wherein the one or more rulesets are updated periodically.
In an analogous reference RUBIN discloses
… with one or more rulesets, the one or more ruleset being configured {Fig. 10 & [0016], “based on a database of rules corresponding to computer exploits”} … 
the server further comprising a user interface {[0004], “Content such as JavaScript and VBScript is executed by an Internet browser, as soon as the content is received within a web page”} configured to provide actuation of a scan of the database and computer code {ABS. & [0016], “selectively diverting the received content from its intended destination, scanning the selectively diverted content to recognize potential exploits there within”} and … ;
wherein the one or more rulesets are updated periodically {[0016], “updating the database of rules periodically to incorporate new rules that are made available”}.
In an analogous reference MAHAFFEY discloses
… to display results of the scan {[0659], “the scan results are provided in an app profile. … A profile may include any combination of the scan results shown in FIG. 50”} …
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify COGGESHALL’s ‘identifying a harmful combination of personal identification information’ for ‘updating policy set periodically for scanning the database’, as taught by RUBIN, AND for ‘displaying data scan results in an user interface’, as taught by MAHAFFEY in order to remediate harmful combination of personal identifiable information used for malicious purpose. The motivation is - Often, employee carelessness can result in sharing PII with a much wider audience than intended. Regardless of the method by which the data is lost, companies face many of the same consequences: fines, litigation expenses, the costs of implementing better systems, and the damage of negative publicity.
All references are inventions in analogous area but each invention teaches specific claimed limitation specifically and other references mutually cure each other’s deficiencies. When all claimed techniques are combined they teach claimed invention. The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims unless addressed separately. 

Regarding Claim 2, COGGESHALL as modified by RUBIN and further modified by MAHAFFEY discloses all the features of claim 1. The combination further discloses
wherein the results of the scan identify whether at least one toxic combination of personal information is present in the at least one of the database and computer code {COGGESHALL: ABS. & [0043], “The processor 225 also calculates the attributes of the person, where the attributes include the person's identity information and all variations used. Improper manipulations can be determined by the variations of the personal identifying information, combined with running an algorithm to identify bad manipulations”. Also see [0048]}. 

Regarding Claim 3, COGGESHALL as modified by RUBIN and further modified by MAHAFFEY discloses all the features of claims 2 & 1. The combination further discloses
wherein the results of the scan identify whether at least one toxic combination of personal information is present in the at least one of the database and computer code {COGGESHALL: [0048], “The processor 225 watches closer for changes of a systematic nature (e.g., 700, 701, 702, etc.), multiple variations (e.g., 3 or more Social Security numbers), and certain types of identity information (e.g., Social Security numbers and dates of birth)”}.

Regarding Claim 4, COGGESHALL as modified by RUBIN and further modified by MAHAFFEY discloses all the features of claim 1. The combination further discloses
wherein the results of the scan identify when an actual risk level does not match an expected risk level {MAHAFFEY: claim 25: “comparing, by the server security component, the first risk level to the acceptable risk level; and alerting, by the server security component, the first collection when the comparison indicates that the first risk level is more than a threshold more than the acceptable risk level”}.

Regarding Claim 5, COGGESHALL as modified by RUBIN and further modified by MAHAFFEY discloses all the features of claim 1. The combination further discloses
wherein the results of the scan comprise an indication that the scan is incomplete and a request for further information is displayed {RUBIN: [0245], “FIG. 6 describes a method in which a complete diagnostic of all match analyzer rules is produced, in an alternative embodiment the method may stop as soon as a first analyzer rule is matched. The parser would produce an incomplete diagnostic, but enough of a diagnostic to determine that the scanned content contains a potential exploit”}.

Regarding claim 6, claim 6 is claim to a system using the system of claim 1. Therefore, claim 6 is rejected for the reasons set forth for claim 1.

Regarding claim 7, claim 7 is a dependent claim of claim 6, claim 7 is claim to system using the system of claim 2. Therefore, claim 7 is rejected for the reasons set forth for claim 2.

Regarding claim 8, claim 8 is a dependent claim of claims 7 & 6, claim 8 is claim to system using the system of claim 3. Therefore, claim 8 is rejected for the reasons set forth for claim 3.

Regarding claim 9, claim 9 is a dependent claim of claim 6, claim 9 is claim to system using the system of claim 4. Therefore, claim 9 is rejected for the reasons set forth for claim 4.

Regarding claim 10, claim 10 is a dependent claim of claim 6, claim 10 is claim to system using the system of claim 5. Therefore, claim 10 is rejected for the reasons set forth for claim 5.

Claims 11-12 are rejected under AIA  35 U.S.C. 103 as being unpatentable over COGGESHALL; Stephen et al., Pub. No.: US 2013/0333048 A1 in view of RUBIN; Moshe et al., Pub. No.: US 2005/0240999 A1 and further in view of MAHAFFEY; Kevin Patrick et al., Pub. No.:  US 2016/0099963 A1 and SRIRAGHAVAN; Priyanka G. et al., Pub. No.: US 2011/0099549 A1.

Regarding Claim 11, COGGESHALL as modified by RUBIN and further modified by MAHAFFEY discloses all the features of claim 6. However, the combination does not explicitly disclose
wherein scans are run on computer code that is in development.
 In an analogous reference SRIRAGHAVAN discloses
wherein scans are run on computer code that is in development {[0028], “the Reader module 214 may constantly, periodically, and/or intermittently monitor and scan all code development entities registered in the R-MANAGER to detect any reminder embedded in a tagged segment of code”}.
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to further modify COGGESHALL’s technique (as modified by RUBIN & MAHAFFEY) of ‘identifying a harmful combination of personal identification information for updating policy set periodically for scanning the database’ to/for/where ‘periodically scanning computer code under development’ by SRIRAGHAVAN, in order to remediate harmful combination of personal identifiable information used for malicious purpose. The motivation is to avoid future surprise of scanned code on released software and restart fixing and testing code, which damages company’s reputation with inferior product and cost extra money.
All references are inventions in analogous area but each invention teaches specific claimed limitation specifically and other references mutually cure each other’s deficiencies. When all claimed techniques are combined they teach claimed invention. The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims unless addressed separately. 

Regarding Claim 12, COGGESHALL as modified by RUBIN and further modified by MAHAFFEY discloses all the features of claim 6. However, the combination does not explicitly disclose
wherein the scans are on computer code at periodic intervals.
SRIRAGHAVAN further discloses
wherein the scans are on computer code at periodic intervals {[0028], “the Reader module 214 may constantly, periodically, and/or intermittently monitor and scan all code development entities registered in the R-MANAGER to detect any reminder embedded in a tagged segment of code”}.


Claims 13-17 are rejected under AIA  35 U.S.C. 103 as being unpatentable over COGGESHALL; Stephen et al., Pub. No.: US 2013/0333048 A1 in view of RUBIN; Moshe et al., Pub. No.: US 2005/0240999 A1 and further in view of MAHAFFEY; Kevin Patrick et al., Pub. No.:  US 2016/0099963 A1 and ZHOU; Qi, Pub. No.: US 2019/0246273 A1.

Regarding Claim 13, COGGESHALL discloses a method comprising:
…  identify toxic combinations of personal information in at least one of a database and computer code {ABS. & [0043], “The processor 225 also calculates the attributes of the person, where the attributes include the person's identity information and all variations used. Improper manipulations can be determined by the variations of the personal identifying information, combined with running an algorithm to identify bad manipulations”. Also see [0048]};
However, the COGGESHALL does not explicitly disclose
receiving a login request for a scan tool via a computer network, wherein the scan tool is configured with one or more rulesets that are configured to …
providing access to the scan tool upon verification of the login request;
presenting a user interface;
receiving a selection, through user interface, of an application to be scanned;
performing a scan of the application;
presenting results of the scan through the user interface.
In an analogous reference ZHOU discloses
receiving a login request for a scan tool via a computer network, wherein the scan tool is configured with one or more rulesets that are configured to … providing access to the scan tool upon verification of the login request {[0209], “Cross-device login can be performed by a user using a mobile device. Normally, the user fir opens an application on the mobile device, and then uses the mobile device to scan a two-dimensional code to complete the cross-device login. In some cases, the user first receives an SMS verification code or a voice verification code on the mobile device, and then enters the received verification code on a login page displayed on the mobile device to complete the cross-device login”};
In an analogous reference RUBIN discloses
presenting a user interface {[0004], “Content such as JavaScript and VBScript is executed by an Internet browser, as soon as the content is received within a web page”};
receiving a selection, through user interface, of an application to be scanned; performing a scan of the application {ABS. & [0016], “selectively diverting the received content from its intended destination, scanning the selectively diverted content to recognize potential exploits there within”};
In an analogous reference MAHAFFEY discloses
presenting results of the scan through the user interface {[0659], “the scan results are provided in an app profile. … A profile may include any combination of the scan results shown in FIG. 50”}.
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify COGGESHALL’s ‘identifying a harmful combination of personal identification information’ for ‘updating policy set periodically for scanning the database’, as taught by RUBIN, AND for ‘displaying data scan results in an user interface’, as taught by MAHAFFEY, AND providing login verification technique for a scanner tool, as taught by ZHOU in order to remediate harmful combination of personal identifiable information used for malicious purpose. The motivation is - Often, employee carelessness can result in sharing PII with a much wider audience than intended. Regardless of the method by which the data is lost, companies face many of the same consequences: fines, litigation expenses, the costs of implementing better systems, and the damage of negative publicity.
All references are inventions in analogous area but each invention teaches specific claimed limitation specifically and other references mutually cure each other’s deficiencies. When all claimed techniques are combined they teach claimed invention. The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims unless addressed separately. 


Regarding claim 14, claim 14 is a dependent claim of claim 13, claim 14 is claim to method using the system of claim 2. Therefore, claim 14 is rejected for the reasons set forth for claim 2.

Regarding claim 15, claim 15 is a dependent claim of claims 14 & 13, claim 15 is claim to method using the system of claim 3. Therefore, claim 15 is rejected for the reasons set forth for claim 3.

Regarding claim 16, claim 16 is a dependent claim of claim 13, claim 16 is claim to method using the system of claim 4. Therefore, claim 16 is rejected for the reasons set forth for claim 4.

Regarding Claim 17, COGGESHALL as modified by RUBIN and further modified by MAHAFFEY discloses all the features of claim 1. The combination further discloses
displaying an application dashboard {MAHAFFEY: [0659], “the scan results are provided in an app profile. … A profile may include any combination of the scan results shown in FIG. 50”}.

Allowable subject matter
Claims 18 and 19 will be allowable if written in independent form with base claim 13. For allowability, the independent claims 1 & 6 are required to be in same scope with equivalent limitations of claims 18 and 19 as proposed for amended claim 1. Claim 20 is also objected as per search result.
Reasons of allowance: what is missing from the prior arts is: the application dashboard comprises a data store component, a distributed data store component, and a Representational State Transfer (REST) service component, and results of scans are depicted for each component.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to QUAZI FAROOQUI whose telephone number is (571) 270-1034. The examiner can normally be reached on M-F 8:30AM-5:00PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B. Patel can be reached on 571-272-3972. The fax phone number for Examiner Farooqui assigned is 571-270-2034.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-flee). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/QUAZI FAROOQUI/
Primary Examiner, Art Unit 2491