Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Claim Objections
Claims 2, 10  is objected to because of the following informalities:  The claim recites “the another application for the ,” which is incomplete and appears to be in error.  Appropriate correction is required.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-5, 7-13, 15-17, 19-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticiapted by Meier et al. (US 2017/0154188) hereafter Meier.
1. Meier discloses a method comprising: 
detecting, by a computing device, a transfer of data from one application to another, the transfer including a field to receive sensitive information (para 14, In such a device or system, a copy action controller includes a command detector configured to detect an automated processor-implemented copy action in response to a user command received by a computer system, the copy action comprising at least one of a cut action from a source, a copy action from the source, and a paste action to a destination; para 105, destination application … the application that is a source may be an internet browser, such as Firefox, however the context of the source may be a confidential internal website that is being accessed by the browser; para 127, sensitive data may be identified); 
determining, by the computing device, that the one application of the transfer is insecure (para 120, high risk input (source) applications are web browsers, as they potentially could lead to data being copied to external sites); and 
in response to the computing device determining that the one application is insecure: 
providing, by the computing device, an action so as to mitigate use of sensitive information within the one application (para 61, A cut/copy and paste action performed by the operating system is monitored and intercepted during a user's session, and the action may be blocked, filtered, logged, archived, suppressed and/or mitigated based on various rules; para 127, sensitive data may be identified and redacted while other data may be allowed to be cut/copy and pasted. In some cases, the system may deem it sufficient to block and/or otherwise control and/or limit and/or alter and/or notify someone regarding the paste action, while in other cases the system may block and/or otherwise control and/or limit and/or alter and/or notify someone regarding the cut/copy action to the clipboard, while in yet other cases the system may block and/or otherwise control and/or limit and/or alter and/or notify someone regarding both the cut/copy and the paste action. Also, as part of the altering of the action, the data that is cut/copied to the clipboard and/or the data that is pasted into the destination document, application or target may be replaced by non-sensitive data, for example, a warning that the cut/copy and/or paste action is not permitted).

2. Meier discloses the method of claim 1, further comprising: transmitting, by the computing device to an analytic server, information for the transfer (para 154-155), identifying: a user associated with the computing device (para 64), the one application (para 66), the another application for the (para 66), type of the field to receive the sensitive information (para 66, 68, 115), and type of the computing device (para 65); and receiving, by the computing device from the analytic server, an indication of the action based on the transmitted information (para 61, see above).

3. Meier discloses the method of claim 1, wherein the transfer of data comprises a copy event and a paste event (para 61, see above).

4. Meier discloses the method of claim 3, further comprising: setting event listeners for detecting one or more events in the computing device, wherein the event listeners comprise at least one of a copy listener, a paste listener, a clipboard listener, a drag and drop listener, or a navigation listener (fig 4 and corresponding text, copy/paste filter has interceptors and listeners; see also para 61, see above).

5. Meier discloses the method of claim 1, wherein the detecting the transfer of data further comprises: identifying the field to receive the sensitive information within a window or a document (para 115); and setting a paste listener for the field to receive the sensitive information (para 115, the detection occurs because the method is listening for cut/copy or paste).

7. Meier discloses the method of claim 1, wherein the determining that the one application of the transfer is insecure further comprises: identifying the one application by retrieving identification of an application that last placed data in a clipboard (para 66).

8. Meier discloses the method of claim 1, wherein the determining that the one application of the transfer is insecure further comprises: identifying the one application by retrieving domain name of a web application using a browser script (para 66, 115, 123).

Claim 9 is similar in scope to claim 1 and is rejected under similar rationale.

Claims 10- 13, 15-16 are similar in scope to claims 1-5, 6-8 and are rejected under similar rationale.

Claim 17 is similar in scope to claims 1-2 and is rejected under similar rationale.

19. Meier discloses the method of claim 17, wherein the one or more actions comprise at least one of: instructions to generate a warning for a user; instructions to lock the user's account; or instructions to generate a prompt for the user to change login credentials (para 127, 151).

20. Meier discloses the method of claim 17, wherein the one or more actions comprise a first action and a subsequent second action, the method further comprising: transmitting, by the analytic server to the client computing device, the first action in response to determining that the user has performed a first threshold number of transfer of sensitive information (para 117-120); and transmitting, by the analytic server to the client computing device, the subsequent second action in response to determining that the user has performed a second threshold number of transfer of sensitive information, wherein the second threshold is higher than the first threshold (para 117-120).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 6, 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Meier as applied to claim 1, 9 above, and further in view of Kominar et al. (US 2018/0248698) hereafter Kominar.
6. Meier discloses the method of claim 1, wherein detecting the transfer of data further comprises: setting a paste listener for a window or a document (para 115); and using the paste listener, detecting that a field within the window or the document has been modified (para 115) but does not explicitly disclose by adding hidden characters.   However, in an analogous art, Kominar discloses inadvertent password entry detection including adding hidden characters (para 59-60).  It would have been obvious to a person of ordinary skill in the art before the effective filing date to modify the implementation of Meier with the implementation of Kominar in order to improve password security (para 2).

Claim 14 is similar in scope to claim 6 and is rejected under similar rationale.

Claim(s) 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Meier as applied to claim 17 above, and further in view of Sabharwal (US 2014/0278733) hereafter Sabharwal.
18. Meier discloses information sent to a log that can be later audited (para 152; see also para 120) and the method of claim 17, but does not disclose further comprising: generating for display, by the analytic server, a dashboard view of a plurality of risk scores for a plurality of users including the risk score for the user.  However, in an analogous art, Sabharwal discloses risk management methods and systems including generating, for display, a dashboard view of a plurality of risk scores for a plurality of users including the risk score for the user (para 33, user level granularity). It would have been obvious to a person of ordinary skill in the art before the effective filing date to modify the implementation of Meier with the implementation of Sabharwal in order to provide management of risks and vulnerabilities (para 11).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES R TURCHEN whose telephone number is (571)270-1378. The examiner can normally be reached Monday-Friday: 7-3.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





                                                                                                                                                                                    /JAMES R TURCHEN/Primary Examiner, Art Unit 2439