DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on June 01, 2022.
Status of claims in the instant application:
Claims 1 – 2, 4 – 9, 11 – 15, and 17 – 20 are pending.
Claims 1, 8, 13, and 15 are amended.
Claims 3, 10, and 16 are cancelled.

Response to Arguments
Applicant's argument, see page [7] of Applicant’s remarks filed on June 01, 2022, with respect to claim 13 that was rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, regards as the invention, have been fully considered and persuasive. Therefore, the rejection has been withdrawn.

Applicant's argument, see page [7 – 8] of Applicant’s remarks filed on June 01, 2022, with respect to claims 1 – 3, 5 – 10, 12 – 16, and 18 – 20 that were rejected under 35 U.S.C. 103 as being unpatentable over US 20200257815 A1 to Huang et al., (hereafter, "Huang") further in view of US 20190097791 A1 to Hersans et al., (hereafter, "Hersans"), have been fully considered but they are not persuasive. Therefore, the Applicant is directed to the response below:
With respect to independent claims 1, 8, and 15, Applicant’s arguments are moot because of the new interpretation the previous reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
The rejection upon claims 4, 11 , and 17 under 35 U.S.C. 103 as being unpatentable over US 20200257815 A1 to Huang et al., (hereafter, "Huang") in view of US 20190097791 A1 to Hersans et al., (hereafter, "Hersans") further in view of US 20160275277 A1 to Huang et al., (hereafter, “Huan”) still stands because Applicant did not present an argument for the features specific to these claims. The arguments presented are only with respect to the independent claims. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1 – 2, 5 – 9, 12 – 15, and 18 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over US 20200257815 A1 to Huang et al., (hereafter, "Huang") in view of US 20170132429 A1 to Bell et al., (hereinafter, “Bell”) and in view of US 20190097791 A1 to Hersans et al., (hereafter, "Hersans").
Regarding claim 1, Huang teaches a method, comprising: associating a key with a tenant, in the multitenant environment, as a result of the storage system receiving data from the tenant through a network; [Huang, para. 63 discloses each encryption key may be specific, distinctive, or otherwise unique to a corresponding user. In some embodiments, the encryption keys may be standard encryption keys used by each of the computing devices 206 for the respective user associated with a particular tenant 204. In some embodiments, the tenant server 212 may be configured to store a copy of the encryption key for each of the users. The tenant server 212 may be configured to store the encryption key in, for instance, a secure location at the tenant 204 (such as an active directory). Para. 114 discloses the information on the service endpoint may be a port of a server, an IP address corresponding to the client service, or other address which may be used for transmitting information to the client service] storing the data, encrypted by the key, in the storage system; [Huang, para. 12 discloses storing, by the cloud service, the encrypted user data of the user to a storage indexed by the user identifier and the tenant identifier. Para. 18 discloses storing, by the first tenant server, an encryption key used for encrypting the encrypted user data], but Huang does not teach receiving, from the tenant, a request to delete the data; in response to receiving the request: initiating deletion of the data; starting a timer for a data recoverability time span; determining that the key, as retained in the storage system, is to be deleted, so that the data is to be inaccessible in unencrypted form; and deleting the key, after a data recoverability time span.
However, Bell does teach receiving, from the tenant, a request to delete the data; in response to receiving the request: initiating deletion of the data; [Bell, para. 43 discloses a user may request to destroy (e.g., permanently delete) the first set of data as opposed to a system determining that a policy event to destroy the first set of data has been triggered. In some embodiments, the user request may include a request to destroy one or more security keys associated with the first set of data, a request to destroy the first set of data within a source data file, and a request to destroy the first set of data copied to other files (e.g., backup files). In some embodiments, the user request may be based on “delete” and/or destroy operations to delete the data via a query. In an example illustration, a customer user may desire to delete his or her database record that corresponds to cancelling his or her account and any other associated file that the database record may be located in.] determining that the key, as retained in the storage system, is to be deleted, so that the data is to be inaccessible in unencrypted form. [Bell, para. 43 discloses in some embodiments, the user request may include a request to destroy one or more security keys associated with the first set of data, a request to destroy the first set of data within a source data file, and a request to destroy the first set of data copied to other files (e.g., backup files). Para. 46 discloses A security key (e.g., public key, private key, symmetric key, one of an asymmetric key pair, etc.) may be a set of particular parameters that guide the algorithm and encrypt or decrypt data. Para. 48 discloses a file manager or database manager may delete a second security key associated with the first file. Deleting a security key destroys or “zeroes out” the binary values that make up the security key such that the binary values are overwritten. In some embodiments, the binary values may be overwritten multiple times to ensure that the security key is destroyed. Consequently, if the security key is a key used for decryption, the data within the first file may remain permanently encrypted such that an unauthorized user may not be able to obtain the security key to decrypt the data on the first file after the security key has been deleted. In some embodiments, only one security key is destroyed for a given file because the one security key may be responsible for decrypting the entire file.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Bell’s system with Huang’s system, with a motivation to allow the user to input a destroy operation within a query statement that specifies to destroy the database record within a data file and within any other file (e.g., transaction log) that includes a copy of the data. [Bell, para. 43]
However, Huang in view of Bell does not teach starting a timer for a data recoverability time span; and deleting the key, after a data recoverability time span, but Hersans does teach starting a timer for a data recoverability time span; [Hersans, para. 67 discloses BYOK push component 660 may receive the first encryption key parameter from the user based on an upload periodicity or an upload schedule. BYOK time-based component 665 may send, to the user, a first call out message requesting the first encryption key parameter, where receiving, from the user, the first encryption key parameter is based on the first call out message. Additionally, BYOK time-based component 665 may send, to the user, a second call out message requesting an updated encryption key parameter based on a time-to-live parameter or a destruction request message received from the user. BYOK identifier 670 may determine whether the first encryption key parameter includes a tenant-specific encryption key or a tenant secret based on metadata associated with the user input.] and deleting the key, after a data recoverability time span. [Hersans, para. 37 discloses the encryption key may be associated with a user-specified or standard TTL, which may specify an amount of time or a specific time and date. The data center 210 may destroy the encryption key following the specified amount of time or at the specific time and date.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to invalidate or remove an encryption key from the distributed cache, so that an encryption key may not be visible to any application servers. [Hersans, para. 16] 

As per claim 2, modified Huang teaches the method of claim 1 wherein the associating the key with the tenant comprises: tagging the key with a tenant tag. [Huang, para. 63 discloses each encryption key may be specific, distinctive, or otherwise unique to a corresponding user. In some embodiments, the encryption keys may be standard encryption keys used by each of the computing devices 206 for the respective user associated with a particular tenant 204. Para. 95 discloses the server may generate an encryption key specifically associated with the user. The encryption key may be generated by the server according to an encryption or cryptographic protocol. The encryption/cryptographic protocol may be determined by the server, user operating the computing device, and so forth. In some embodiments, when the server generates the encryption key, the server may save the encryption key associated with the user identifier for the user. The server may save the encryption key in the active directory as a confidential object or attribute.]

Regarding claim 5, modified Huang teaches the method of claim 1, but Huang in view of Hersans does not explicitly teach to exclude the encrypted data that is tagged with the tenant tag from garbage collection, during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data,
However, Hersans does teach that the encryption key is not deleted during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data. [Hersans, para. 37 discloses the user device 205 may send an explicit key destruction request message to the data center 210, and the data center 210 or distributed cache 230 may destroy the encryption key based on the message. The encryption key may be stored in the distributed cache 230 during its existence in the data center 210, and may not be stored in the central database 235 or backed up in any backup or data recovery systems. Any application server 220 may access the encryption key in the distributed cache 230 before it is destroyed based on the time-based expiry or destruction command.] This implies that encryption keys are maintained during the agreed upon time span in order to decrypt data encrypted with the encryption keys. 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Huang in view of Hersans to exclude the encrypted data that is tagged with the tenant tag from garbage collection, during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data, the motivation is that maintaining the data encrypted with the encryption keys would yield the expected result of enabling use of the retained encryption keys to decrypt the encrypted data during the agreed upon time span.

Regarding claim 6, modified Huang teaches the method of claim 1, but modified Huang does not teach further comprising: exporting the key to the tenant, responsive to the request from the tenant to delete the data; and importing the key from the tenant, responsive to a request to cancel deletion of the data.
	However, Hersans does teach exporting the key to the tenant, responsive to the request from the tenant to delete the data; [Hersans, para. 49 discloses the key service 330 or the application server 310 may return a response message to the user device (e.g., including decrypted data requested by the user device, or an indication that data was encrypted using the DEK). In some cases, the key service 330 may send the DEK to a different application server, or to an application running on the user device in response to the initial request message] and importing the key from the tenant, responsive to a request to cancel deletion of the data. [Hersans, para. 36 discloses the user device 205 may return the encryption key or permission to access the encryption key (e.g., based on input from a user authorizing the key retrieval). In some cases, the request-based pull procedure may override security functionality of the data center 210 (e.g., security functionality that prohibits sending callouts during a transaction).]
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to derive the encryption key from a key derivation server, and may invalidate the encryption key based on a user command or a time-to-live (TTL) parameter of the encryption key. Once invalidated or removed from the distributed cache, an encryption key may not be visible to any application servers [Hersans, para. 30]

Regarding claim 7, modified Huang teaches the method of claim 1, but modified Huang does not teach further comprising: exporting the key to the tenant, responsive to the request from the tenant to delete the data while retaining the key in the storage system, as a master key for approval and delaying deletion of the key during a data recoverability time span; to support access by the tenant to the data, with approval by the master key, responsive to the tenant returning the exported key.
However, Hersans does teach exporting the key to the tenant, responsive to the request from the tenant to delete the data; [Hersans, para. 49 discloses the key service 330 or the application server 310 may return a response message to the user device (e.g., including decrypted data requested by the user device, or an indication that data was encrypted using the DEK). In some cases, the key service 330 may send the DEK to a different application server, or to an application running on the user device in response to the initial request message] while retaining the key in the storage system, as a master key for approval [Hersans, para. 54 discloses the application server 410 may send an encryption key destroy call to the distributed cache 415. The encryption key destroy call may include an indication of the tenant or tenant secret. In some cases, at 435, the distributed cache 415 may search distributed cache storage for any encryption keys (e.g., DEKs) corresponding to the indicated tenant or tenant secret, and may remove the corresponding encryption keys from the distributed cache 415. In other cases, the distributed cache 415 may not destroy the corresponding encryption keys, and instead may implement key destruction markers. For example, when retrieving an encryption key, the distributed cache 415 may first determine whether the corresponding tenant secret is marked with a key destruction marker. If the tenant secret contains the key destruction marker, the distributed cache 415 may refrain from retrieving any encryption keys associated with that tenant secret, effectively destroying those encryption keys from a user access standpoint. Para. 33 discloses the key derivation function may additionally receive a master secret, a master salt, or both as inputs to determine the tenant-specific encryption key (e.g., a DEK). The key derivation server 225 may additionally generate universal, tenant-specific, or DEK-specific KEKs. The KEKs may be generated based on a same HSM, master secret, master salt, and/or key derivation function, or may be generated based on different parameters and functions than the DEKs] and delaying deletion of the key during a data recoverability time span [Hersans, para. 32 discloses the application server 220 may include KEK storage 245 in a local key cache, but may not store either the DEK or encrypted DEK. Instead, the decrypted plaintext version of the DEK may exist for the duration of an encryption key request in the application server 220, and then may be destroyed. Para. 37 discloses for a time-based expiry procedure, the data center 210 (e.g., the distributed cache 230 of the data center 210) may transmit a callout to a user device 205 based on a TTL policy or explicit destruction call from a user. For example, the data center 210 may send a first callout to the user device 205, and may receive an encryption key (e.g., a DEK) in response. In some cases, the encryption key may be associated with a user-specified or standard TTL, which may specify an amount of time or a specific time and date] to support access by the tenant to the data, with approval by the master key, responsive to the tenant returning the exported key. [Hersans, para. 37 discloses the encryption key may be stored in the distributed cache 230 during its existence in the data center 210, and may not be stored in the central database 235 or backed up in any backup or data recovery systems. Any application server 220 may access the encryption key in the distributed cache 230 before it is destroyed based on the time-based expiry or destruction command. Additionally or alternatively, the encryption key may be encrypted using a KEK while stored in the distributed cache 230 (e.g., the encryption may occur at the key derivation server 225). Para. 36 discloses the user device 205 may return the encryption key or permission to access the encryption key (e.g., based on input from a user authorizing the key retrieval). In some cases, the request-based pull procedure may override security functionality of the data center 210 (e.g., security functionality that prohibits sending callouts during a transaction).]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to protect against such attacks, or other unauthorized attempts to read encrypted data records, the distributed cache 230 may store the encryption keys as ciphertext, rather than plaintext. [Hersans, para. 31]

Regarding claim 8, Huang teaches a tangible, non-transitory, computer-readable media having instructions thereupon which, when executed by a processor, cause the processor to perform a method comprising: associating a key with a tenant, in a multitenant environment, as a result of a storage system receiving data from the tenant through a network, which the storage system recognizes as associated with the tenant; [Huang, para. 63 discloses each encryption key may be specific, distinctive, or otherwise unique to a corresponding user. In some embodiments, the encryption keys may be standard encryption keys used by each of the computing devices 206 for the respective user associated with a particular tenant 204. In some embodiments, the tenant server 212 may be configured to store a copy of the encryption key for each of the users. The tenant server 212 may be configured to store the encryption key in, for instance, a secure location at the tenant 204 (such as an active directory). Para. 114 discloses the information on the service endpoint may be a port of a server, an IP address corresponding to the client service, or other address which may be used for transmitting information to the client service] encrypting the data with the key; [Huang, para. 9 discloses to store user data at the cloud services, the client may encrypt user data using the encryption key] storing the encrypted data in the storage system; [Huang, para. 12 discloses storing, by the cloud service, the encrypted user data of the user to a storage indexed by the user identifier and the tenant identifier. Para. 18 discloses storing, by the first tenant server, an encryption key used for encrypting the encrypted user data] retaining the key associated with the tenant, in the storage system, so that the key is not available external to the storage system while so retained; [Huang, para. 13 discloses the first server is configured to generate an encryption key for the user and store the encryption key as a confidential information in a user object for the user. In some embodiments, the first server is configured to provide a cloud service endpoint, the encryption key and the user data access ticket to the computing device of the user.], but Huang does not teach receiving, from the tenant, a request to delete the data; in response to receiving the request: initiating deletion of the data; starting a timer for a data recoverability time span; determining that the key, as retained in the storage system is to be deleted, so that the data is to be inaccessible in unencrypted form; and deleting the key, after the data recoverability time span. 
However, Bell does teach receiving, from the tenant, a request to delete the data; in response to receiving the request: initiating deletion of the data; [Bell, para. 43 discloses a user may request to destroy (e.g., permanently delete) the first set of data as opposed to a system determining that a policy event to destroy the first set of data has been triggered. In some embodiments, the user request may include a request to destroy one or more security keys associated with the first set of data, a request to destroy the first set of data within a source data file, and a request to destroy the first set of data copied to other files (e.g., backup files). In some embodiments, the user request may be based on “delete” and/or destroy operations to delete the data via a query. In an example illustration, a customer user may desire to delete his or her database record that corresponds to cancelling his or her account and any other associated file that the database record may be located in.] determining that the key, as retained in the storage system, is to be deleted, so that the data is to be inaccessible in unencrypted form. [Bell, para. 43 discloses in some embodiments, the user request may include a request to destroy one or more security keys associated with the first set of data, a request to destroy the first set of data within a source data file, and a request to destroy the first set of data copied to other files (e.g., backup files). Para. 46 discloses A security key (e.g., public key, private key, symmetric key, one of an asymmetric key pair, etc.) may be a set of particular parameters that guide the algorithm and encrypt or decrypt data. Para. 48 discloses a file manager or database manager may delete a second security key associated with the first file. Deleting a security key destroys or “zeroes out” the binary values that make up the security key such that the binary values are overwritten. In some embodiments, the binary values may be overwritten multiple times to ensure that the security key is destroyed. Consequently, if the security key is a key used for decryption, the data within the first file may remain permanently encrypted such that an unauthorized user may not be able to obtain the security key to decrypt the data on the first file after the security key has been deleted. In some embodiments, only one security key is destroyed for a given file because the one security key may be responsible for decrypting the entire file.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Bell’s system with Huang’s system, with a motivation to allow the user to input a destroy operation within a query statement that specifies to destroy the database record within a data file and within any other file (e.g., transaction log) that includes a copy of the data. [Bell, para. 43]
However, Huang in view of Bell does not teach starting a timer for a data recoverability time span; and deleting the key, after a data recoverability time span, but Hersans does teach starting a timer for a data recoverability time span; [Hersans, para. 67 discloses BYOK push component 660 may receive the first encryption key parameter from the user based on an upload periodicity or an upload schedule. BYOK time-based component 665 may send, to the user, a first call out message requesting the first encryption key parameter, where receiving, from the user, the first encryption key parameter is based on the first call out message. Additionally, BYOK time-based component 665 may send, to the user, a second call out message requesting an updated encryption key parameter based on a time-to-live parameter or a destruction request message received from the user. BYOK identifier 670 may determine whether the first encryption key parameter includes a tenant-specific encryption key or a tenant secret based on metadata associated with the user input.] and deleting the key, after a data recoverability time span. [Hersans, para. 37 discloses the encryption key may be associated with a user-specified or standard TTL, which may specify an amount of time or a specific time and date. The data center 210 may destroy the encryption key following the specified amount of time or at the specific time and date.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to invalidate or remove an encryption key from the distributed cache, so that an encryption key may not be visible to any application servers. [Hersans, para. 16] 

As per claim 9, modified Huang teaches the tangible, non-transitory, computer-readable media of claim 8, wherein the method further comprises: generating the key [Huang, para. 13 discloses the first server is configured to generate an encryption key for the user and store the encryption key as a confidential information in a user object for the user] and tagging the key with a tenant tag for the associating the key with the tenant. [Huang, para. 63 discloses each encryption key may be specific, distinctive, or otherwise unique to a corresponding user. In some embodiments, the encryption keys may be standard encryption keys used by each of the computing devices 206 for the respective user associated with a particular tenant 204. Para. 95 discloses the server may generate an encryption key specifically associated with the user. The encryption key may be generated by the server according to an encryption or cryptographic protocol. The encryption/cryptographic protocol may be determined by the server, user operating the computing device, and so forth. In some embodiments, when the server generates the encryption key, the server may save the encryption key associated with the user identifier for the user. The server may save the encryption key in the active directory as a confidential object or attribute.]

Regarding claim 12, modified Huang teaches the tangible, non-transitory, computer-readable media of claim 8, wherein the method further comprises: wherein the associating the key with the tenant comprises tagging the key with the tenant tag [Huang, para. 63 discloses each encryption key may be specific, distinctive, or otherwise unique to a corresponding user. In some embodiments, the encryption keys may be standard encryption keys used by each of the computing devices 206 for the respective user associated with a particular tenant 204. Para. 95 discloses when the server generates the encryption key, the server may save the encryption key associated with the user identifier for the user. The server may save the encryption key in the active directory as a confidential object or attribute], but Huang in view of Hersans does not teach explicitly teach excluding the encrypted data that is tagged with the tenant tag from garbage collection, during an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data.
However, Hersans does teach that the encryption key is not deleted during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data. [Hersans, para. 37 discloses the user device 205 may send an explicit key destruction request message to the data center 210, and the data center 210 or distributed cache 230 may destroy the encryption key based on the message. The encryption key may be stored in the distributed cache 230 during its existence in the data center 210, and may not be stored in the central database 235 or backed up in any backup or data recovery systems. Any application server 220 may access the encryption key in the distributed cache 230 before it is destroyed based on the time-based expiry or destruction command.] This implies that encryption keys are maintained during the agreed upon time span in order to decrypt data encrypted with the encryption keys.
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Huang in view of Hersans to exclude the encrypted data that is tagged with the tenant tag from garbage collection, during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data, the motivation is that it that maintaining the data encrypted with the encryption keys would yield the expected result of enabling use of the retained encryption keys to decrypt the encrypted data during the agreed upon time span.

Regarding claim 13, modified Huang teaches the tangible, non-transitory, computer-readable media of claim 8, but modified Huang does not teach further comprises: exporting the key to the tenant, responsive to the request from the tenant to delete the data while retaining the encrypted data in the storage system to allow importing the key from the tenant to the storage system, responsive to a request by the tenant, within an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data, to cancel deletion of the data.
	However, Hersans does teach exporting the key to the tenant, responsive to the request from the tenant to delete the data; [Hersans, para. 49 discloses the key service 330 or the application server 310 may return a response message to the user device (e.g., including decrypted data requested by the user device, or an indication that data was encrypted using the DEK). In some cases, the key service 330 may send the DEK to a different application server, or to an application running on the user device in response to the initial request message] deleting the key as retained in the storage system [Hersans, para. 16 discloses the user device may transmit a destruction request message corresponding to a secret or an encryption key to the data center, and the data center may destroy or mark for deletion the specified tenant secret, tenant-specific encryption key, or both, in response] while retaining the encrypted data in the storage system; [Hersans, para. 54 discloses the application server 410 may send an encryption key destroy call to the distributed cache 415. The encryption key destroy call may include an indication of the tenant or tenant secret. In some cases, at 435, the distributed cache 415 may search distributed cache storage for any encryption keys (e.g., DEKs) corresponding to the indicated tenant or tenant secret, and may remove the corresponding encryption keys from the distributed cache 415. In other cases, the distributed cache 415 may not destroy the corresponding encryption keys, and instead may implement key destruction markers. For example, when retrieving an encryption key, the distributed cache 415 may first determine whether the corresponding tenant secret is marked with a key destruction marker. If the tenant secret contains the key destruction marker, the distributed cache 415 may refrain from retrieving any encryption keys associated with that tenant secret, effectively destroying those encryption keys from a user access standpoint. Para. 33 discloses the key derivation function may additionally receive a master secret, a master salt, or both as inputs to determine the tenant-specific encryption key (e.g., a DEK). The key derivation server 225 may additionally generate universal, tenant-specific, or DEK-specific KEKs. The KEKs may be generated based on a same HSM, master secret, master salt, and/or key derivation function, or may be generated based on different parameters and functions than the DEKs] so that the key can be imported from the tenant to the storage system, responsive to a request by the tenant, within an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data, to cancel deletion of the data. [Hersans, para. 36 discloses the user device 205 may return the encryption key or permission to access the encryption key (e.g., based on input from a user authorizing the key retrieval). In some cases, the request-based pull procedure may override security functionality of the data center 210 (e.g., security functionality that prohibits sending callouts during a transaction).]
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to derive the encryption key from a key derivation server, and may invalidate the encryption key based on a user command or a time-to-live (TTL) parameter of the encryption key. Once invalidated or removed from the distributed cache, an encryption key may not be visible to any application servers [Hersans, para. 30]

Regarding claim 14, modified Huang teaches the tangible, non-transitory, computer-readable media of claim 8, but modified Huang does not teach wherein the method further comprises: exporting the key to the tenant, responsive to the request from the tenant to delete the data while retaining the key in the storage system, as a master key for approval and delaying deletion of the key during an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data to support access by the tenant to the data, using the key that was exported, with approval by the master key, responsive to a request by the tenant within the data recoverability time span to undelete the data, accompanied by the tenant returning the exported key to the storage system.
However, Hersans does teach exporting the key to the tenant, responsive to the request from the tenant to delete the data [Hersans, para. 49 discloses the key service 330 or the application server 310 may return a response message to the user device (e.g., including decrypted data requested by the user device, or an indication that data was encrypted using the DEK). In some cases, the key service 330 may send the DEK to a different application server, or to an application running on the user device in response to the initial request message] while retaining the key in the storage system, as a master key for approval [Hersans, para. 54 discloses the application server 410 may send an encryption key destroy call to the distributed cache 415. The encryption key destroy call may include an indication of the tenant or tenant secret. In some cases, at 435, the distributed cache 415 may search distributed cache storage for any encryption keys (e.g., DEKs) corresponding to the indicated tenant or tenant secret, and may remove the corresponding encryption keys from the distributed cache 415. In other cases, the distributed cache 415 may not destroy the corresponding encryption keys, and instead may implement key destruction markers. For example, when retrieving an encryption key, the distributed cache 415 may first determine whether the corresponding tenant secret is marked with a key destruction marker. If the tenant secret contains the key destruction marker, the distributed cache 415 may refrain from retrieving any encryption keys associated with that tenant secret, effectively destroying those encryption keys from a user access standpoint. Para. 33 discloses the key derivation function may additionally receive a master secret, a master salt, or both as inputs to determine the tenant-specific encryption key (e.g., a DEK). The key derivation server 225 may additionally generate universal, tenant-specific, or DEK-specific KEKs. The KEKs may be generated based on a same HSM, master secret, master salt, and/or key derivation function, or may be generated based on different parameters and functions than the DEKs] and delaying deletion of the key during an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data [Hersans, para. 32 discloses the application server 220 may include KEK storage 245 in a local key cache, but may not store either the DEK or encrypted DEK. Instead, the decrypted plaintext version of the DEK may exist for the duration of an encryption key request in the application server 220, and then may be destroyed. Para. 37 discloses for a time-based expiry procedure, the data center 210 (e.g., the distributed cache 230 of the data center 210) may transmit a callout to a user device 205 based on a TTL policy or explicit destruction call from a user. For example, the data center 210 may send a first callout to the user device 205, and may receive an encryption key (e.g., a DEK) in response. In some cases, the encryption key may be associated with a user-specified or standard TTL, which may specify an amount of time or a specific time and date] to support access by the tenant to the data, using the key that was exported, with approval by the master key, responsive to a request by the tenant within the data recoverability time span to undelete the data, accompanied by the tenant returning the exported key to the storage system. [Hersans, para. 37 discloses the encryption key may be stored in the distributed cache 230 during its existence in the data center 210, and may not be stored in the central database 235 or backed up in any backup or data recovery systems. Any application server 220 may access the encryption key in the distributed cache 230 before it is destroyed based on the time-based expiry or destruction command. Additionally or alternatively, the encryption key may be encrypted using a KEK while stored in the distributed cache 230 (e.g., the encryption may occur at the key derivation server 225). Para. 36 discloses the user device 205 may return the encryption key or permission to access the encryption key (e.g., based on input from a user authorizing the key retrieval). In some cases, the request-based pull procedure may override security functionality of the data center 210 (e.g., security functionality that prohibits sending callouts during a transaction).]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to protect against such attacks, or other unauthorized attempts to read encrypted data records, the distributed cache 230 may store the encryption keys as ciphertext, rather than plaintext. [Hersans, para. 31]

Regarding claim 15, Huang teaches a storage system comprising: storage memory; a communication interface; and one or more processors, [Huang, para. 33 discloses computer 101 may include one or more processors 103, volatile memory 122 (e.g., random access memory (RAM)), non-volatile memory 128 (e.g., one or more hard disk drives (HDDs) or other magnetic or optical storage media, one or more solid state drives (SSDs) such as a flash drive or other solid state storage media, one or more hybrid magnetic and solid state drives, and/or one or more virtual storage volumes, such as a cloud storage, or a combination of such physical storage volumes and virtual storage volumes or arrays thereof), user interface (UI) 123, one or more communications interfaces 118, and communication bus 150. User interface 123 may include graphical user interface (GUI) 124 (e.g., a touchscreen, a display, etc.)] to: encrypt data with a key; [Huang, para. 9 discloses to store user data at the cloud services, the client may encrypt user data using the encryption key] tag the key with a tenant tag, [Huang, para. 11 discloses storing, by the cloud service responsive to validating the user data access ticket, the encrypted user data of the user associated with the user identifier and a tenant identifier corresponding to the tenant service key] to associate the key to a tenant in a multitenant environment, as a result of the storage system receiving the data from the tenant through the communication interface from a network and association with the data and the tenant; [Huang, para. 63 discloses each encryption key may be specific, distinctive, or otherwise unique to a corresponding user. In some embodiments, the encryption keys may be standard encryption keys used by each of the computing devices 206 for the respective user associated with a particular tenant 204. In some embodiments, the tenant server 212 may be configured to store a copy of the encryption key for each of the users. The tenant server 212 may be configured to store the encryption key in, for instance, a secure location at the tenant 204 (such as an active directory). Para. 114 discloses the information on the service endpoint may be a port of a server, an IP address corresponding to the client service, or other address which may be used for transmitting information to the client service] store the encrypted data in the storage memory; [Huang, para. 12 discloses storing, by the cloud service, the encrypted user data of the user to a storage indexed by the user identifier and the tenant identifier. Para. 18 discloses storing, by the first tenant server, an encryption key used for encrypting the encrypted user data] retain the key associated with the tenant, in the storage system, so that the key is not available external to the storage system while so retained; [Huang, para. 13 discloses the first server is configured to generate an encryption key for the user and store the encryption key as a confidential information in a user object for the user. In some embodiments, the first server is configured to provide a cloud service endpoint, the encryption key and the user data access ticket to the computing device of the user.], but Huang does not teach receive, from the tenant, a request to delete the data; in response to receiving the request: initiate deletion of the data; starting a timer for a data recoverability time span; determine that the key, as retained in the storage system is to be deleted, so that the data is to be inaccessible in unencrypted form; and deleting the key, after the data recoverability time span.
However, Bell does teach receive, from the tenant, a request to delete the data; in response to receiving the request: initiate deletion of the data; [Bell, para. 43 discloses a user may request to destroy (e.g., permanently delete) the first set of data as opposed to a system determining that a policy event to destroy the first set of data has been triggered. In some embodiments, the user request may include a request to destroy one or more security keys associated with the first set of data, a request to destroy the first set of data within a source data file, and a request to destroy the first set of data copied to other files (e.g., backup files). In some embodiments, the user request may be based on “delete” and/or destroy operations to delete the data via a query. In an example illustration, a customer user may desire to delete his or her database record that corresponds to cancelling his or her account and any other associated file that the database record may be located in.] determine that the key, as retained in the storage system is to be deleted, so that the data is to be inaccessible in unencrypted form [Bell, para. 43 discloses in some embodiments, the user request may include a request to destroy one or more security keys associated with the first set of data, a request to destroy the first set of data within a source data file, and a request to destroy the first set of data copied to other files (e.g., backup files). Para. 46 discloses A security key (e.g., public key, private key, symmetric key, one of an asymmetric key pair, etc.) may be a set of particular parameters that guide the algorithm and encrypt or decrypt data. Para. 48 discloses a file manager or database manager may delete a second security key associated with the first file. Deleting a security key destroys or “zeroes out” the binary values that make up the security key such that the binary values are overwritten. In some embodiments, the binary values may be overwritten multiple times to ensure that the security key is destroyed. Consequently, if the security key is a key used for decryption, the data within the first file may remain permanently encrypted such that an unauthorized user may not be able to obtain the security key to decrypt the data on the first file after the security key has been deleted. In some embodiments, only one security key is destroyed for a given file because the one security key may be responsible for decrypting the entire file.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Bell’s system with Huang’s system, with a motivation to allow the user to input a destroy operation within a query statement that specifies to destroy the database record within a data file and within any other file (e.g., transaction log) that includes a copy of the data. [Bell, para. 43]
However, Huang in view of Bell does not teach starting a timer for a data recoverability time span; and deleting the key, after a data recoverability time span, but Hersans does teach starting a timer for a data recoverability time span; [Hersans, para. 67 discloses BYOK push component 660 may receive the first encryption key parameter from the user based on an upload periodicity or an upload schedule. BYOK time-based component 665 may send, to the user, a first call out message requesting the first encryption key parameter, where receiving, from the user, the first encryption key parameter is based on the first call out message. Additionally, BYOK time-based component 665 may send, to the user, a second call out message requesting an updated encryption key parameter based on a time-to-live parameter or a destruction request message received from the user. BYOK identifier 670 may determine whether the first encryption key parameter includes a tenant-specific encryption key or a tenant secret based on metadata associated with the user input.] and deleting the key, after a data recoverability time span. [Hersans, para. 37 discloses the encryption key may be associated with a user-specified or standard TTL, which may specify an amount of time or a specific time and date. The data center 210 may destroy the encryption key following the specified amount of time or at the specific time and date.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to invalidate or remove an encryption key from the distributed cache, so that an encryption key may not be visible to any application servers. [Hersans, para. 16] 

Regarding claim 18, modified Huang teaches the storage system of claim 15, further comprising the one or more processors to: wherein the associating the key with the tenant comprises tagging the key with the tenant tag [Huang, para. 63 discloses each encryption key may be specific, distinctive, or otherwise unique to a corresponding user. In some embodiments, the encryption keys may be standard encryption keys used by each of the computing devices 206 for the respective user associated with a particular tenant 204. Para. 95 discloses when the server generates the encryption key, the server may save the encryption key associated with the user identifier for the user. The server may save the encryption key in the active directory as a confidential object or attribute], but Huang does not teach exclude the encrypted data that is tagged with the tenant tag from garbage collection, during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data.
However, Hersans does teach that the encryption key is not deleted during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data. [Hersans, para. 37 discloses the user device 205 may send an explicit key destruction request message to the data center 210, and the data center 210 or distributed cache 230 may destroy the encryption key based on the message. The encryption key may be stored in the distributed cache 230 during its existence in the data center 210, and may not be stored in the central database 235 or backed up in any backup or data recovery systems. Any application server 220 may access the encryption key in the distributed cache 230 before it is destroyed based on the time-based expiry or destruction command.] This implies that encryption keys are maintained during the agreed upon time span in order to decrypt data encrypted with the encryption keys. 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Huang in view of Hersans to exclude the encrypted data that is tagged with the tenant tag from garbage collection, during an agreed-upon data recoverability time span that starts with the receiving the request from the tenant to delete the data, the motivation is that maintaining the data encrypted with the encryption keys would yield the expected result of enabling use of the retained encryption keys to decrypt the encrypted data during the agreed upon time span.

Regarding claim 19, modified Huang teaches the storage system having secure data deletion in a multitenant environment of claim 15, but modified Huang does not teach further comprising the one or more processors to: export the key to the tenant, responsive to the request from the tenant to delete the data to retain the encrypted data in the storage system and import the key from the tenant to the storage system, responsive to receiving a request to cancel deletion of the data.
	However, Hersans does teach export the key to the tenant, responsive to the request from the tenant to delete the data [Hersans, para. 49 discloses the key service 330 or the application server 310 may return a response message to the user device (e.g., including decrypted data requested by the user device, or an indication that data was encrypted using the DEK). In some cases, the key service 330 may send the DEK to a different application server, or to an application running on the user device in response to the initial request message] to retain the encrypted data in the storage system [Hersans, para. 54 discloses the application server 410 may send an encryption key destroy call to the distributed cache 415. The encryption key destroy call may include an indication of the tenant or tenant secret. In some cases, at 435, the distributed cache 415 may search distributed cache storage for any encryption keys (e.g., DEKs) corresponding to the indicated tenant or tenant secret, and may remove the corresponding encryption keys from the distributed cache 415. In other cases, the distributed cache 415 may not destroy the corresponding encryption keys, and instead may implement key destruction markers. For example, when retrieving an encryption key, the distributed cache 415 may first determine whether the corresponding tenant secret is marked with a key destruction marker. If the tenant secret contains the key destruction marker, the distributed cache 415 may refrain from retrieving any encryption keys associated with that tenant secret, effectively destroying those encryption keys from a user access standpoint. Para. 33 discloses the key derivation function may additionally receive a master secret, a master salt, or both as inputs to determine the tenant-specific encryption key (e.g., a DEK). The key derivation server 225 may additionally generate universal, tenant-specific, or DEK-specific KEKs. The KEKs may be generated based on a same HSM, master secret, master salt, and/or key derivation function, or may be generated based on different parameters and functions than the DEKs] and import the key from the tenant to the storage system, responsive to receiving a request to cancel deletion of the data. [Hersans, para. 36 discloses the user device 205 may return the encryption key or permission to access the encryption key (e.g., based on input from a user authorizing the key retrieval). In some cases, the request-based pull procedure may override security functionality of the data center 210 (e.g., security functionality that prohibits sending callouts during a transaction).]
	Therefore, it would have been obvious to one of ordinary skill in the art before effective filling date to combine Hersans’s system with Huang’s system, with a motivation to the derive the encryption key from a key derivation server, and may invalidate the encryption key based on a user command or a time-to-live (TTL) parameter of the encryption key. Once invalidated or removed from the distributed cache, an encryption key may not be visible to any application servers [Hersans, para. 30]

Regarding claim 20, modified Huang teaches the storage system having secure data deletion in a multitenant environment of claim 15, but modified Huang does not teach further comprising the one or more processors to: export the key to the tenant, responsive to the request from the tenant to delete the data while retaining the key in the storage system, as a master key for approval; delay deletion of the key during an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data to support access by the tenant to the data, using the key that was exported, with approval by the master key, responsive to receiving a request from the tenant within the data recoverability time span to undelete the data, with the tenant returning the exported key to the storage system.
However, Hersans does teach export the key to the tenant, responsive to the request from the tenant to delete the data [Hersans, para. 49 discloses the key service 330 or the application server 310 may return a response message to the user device (e.g., including decrypted data requested by the user device, or an indication that data was encrypted using the DEK). In some cases, the key service 330 may send the DEK to a different application server, or to an application running on the user device in response to the initial request message] while retaining the key in the storage system, as a master key for approval [Hersans, para. 54 discloses the application server 410 may send an encryption key destroy call to the distributed cache 415. The encryption key destroy call may include an indication of the tenant or tenant secret. In some cases, at 435, the distributed cache 415 may search distributed cache storage for any encryption keys (e.g., DEKs) corresponding to the indicated tenant or tenant secret, and may remove the corresponding encryption keys from the distributed cache 415. In other cases, the distributed cache 415 may not destroy the corresponding encryption keys, and instead may implement key destruction markers. For example, when retrieving an encryption key, the distributed cache 415 may first determine whether the corresponding tenant secret is marked with a key destruction marker. If the tenant secret contains the key destruction marker, the distributed cache 415 may refrain from retrieving any encryption keys associated with that tenant secret, effectively destroying those encryption keys from a user access standpoint. Para. 33 discloses the key derivation function may additionally receive a master secret, a master salt, or both as inputs to determine the tenant-specific encryption key (e.g., a DEK). The key derivation server 225 may additionally generate universal, tenant-specific, or DEK-specific KEKs. The KEKs may be generated based on a same HSM, master secret, master salt, and/or key derivation function, or may be generated based on different parameters and functions than the DEKs] delay deletion of the key during an agreed-upon data recoverability time span that starts with the request from the tenant to delete the data [Hersans, para. 32 discloses the application server 220 may include KEK storage 245 in a local key cache, but may not store either the DEK or encrypted DEK. Instead, the decrypted plaintext version of the DEK may exist for the duration of an encryption key request in the application server 220, and then may be destroyed. Para. 37 discloses for a time-based expiry procedure, the data center 210 (e.g., the distributed cache 230 of the data center 210) may transmit a callout to a user device 205 based on a TTL policy or explicit destruction call from a user. For example, the data center 210 may send a first callout to the user device 205, and may receive an encryption key (e.g., a DEK) in response. In some cases, the encryption key may be associated with a user-specified or standard TTL, which may specify an amount of time or a specific time and date] to support access by the tenant to the data, using the key that was exported, with approval by the master key, responsive to receiving a request from the tenant within the data recoverability time span to undelete the data, with the tenant returning the exported key to the storage system. [Hersans, para. 37 discloses the encryption key may be stored in the distributed cache 230 during its existence in the data center 210, and may not be stored in the central database 235 or backed up in any backup or data recovery systems. Any application server 220 may access the encryption key in the distributed cache 230 before it is destroyed based on the time-based expiry or destruction command. Additionally or alternatively, the encryption key may be encrypted using a KEK while stored in the distributed cache 230 (e.g., the encryption may occur at the key derivation server 225). Para. 36 discloses the user device 205 may return the encryption key or permission to access the encryption key (e.g., based on input from a user authorizing the key retrieval). In some cases, the request-based pull procedure may override security functionality of the data center 210 (e.g., security functionality that prohibits sending callouts during a transaction).]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date to combine Hersans’s system with Huang’s system, with a motivation to protect against such attacks, or other unauthorized attempts to read encrypted data records, the distributed cache 230 may store the encryption keys as ciphertext, rather than plaintext. [Hersans, para. 31]

Claims 4, 11 , and 17 are rejected under 35 U.S.C. 103 as being unpatentable over US 20200257815 A1 to Huang et al., (hereafter, "Huang") in view of US 20170132429 A1 to Bell et al., (hereinafter, “Bell”) and in view of US 20190097791 A1 to Hersans et al., (hereafter, "Hersans") in further view of US 20160275277 A1 to Huang et al., (hereafter, “Huan”).
Regarding claim 4, modified Huang teaches the method of claim 1, but modified Huang does not teach further comprising: canceling a direction to delete the key, responsive to a request from the tenant to cancel deleting the data.
However, Huan does teach further comprising: canceling a direction to delete the key [Huan, para. 39 discloses if the data is soft deleted as a data protection response, the data may later be recovered by the OS. When data is soft deleted, only the links to the data (e.g., files) are deleted. The data can be recovered/restored by restoring the links from a safe store. In one embodiment, the restoration of the data can be automatic, such as the next time that the user logs in with the correct password and correct password entering context. Para. 37 discloses the data may be hidden, soft deleted, or hard deleted discretely, such that the person is not even aware that the data is or was ever present on the device. Additionally, or alternatively, displayed windows may be rearranged before the person has seen the prior arrangement of the windows, an alert may be transmitted to an owner or administrator of the device without the person's knowledge, and/or other data protection responses may be performed in a discrete manner], responsive to a request from the tenant to cancel deleting the data. [Huan, para. 28 discloses Context-based data protection enables a user to set up policies to protect data on devices against undesired access, such as in situations where a device has been stolen, where the device is being used against the user's will (e.g., the user has been forced to give out the device password, the device has been taken away while in active operation, etc.), and in other situations. Predefined actions are automatically executed to protect the data when a risky external context is detected so as to prevent the data from being compromised.] 
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Huan’s system with modified Huang’s system, with a motivation to define sensitive data to be protected via a content attribute, data protection that covers the data on the device for all accounts. [Huan, para. 40]

Regarding claim 11, modified Huang teaches the tangible, non-transitory, computer-readable media of claim 8, but modified Huang does not teach wherein the method further comprises: canceling a direction to delete the key, responsive to a request from the tenant to cancel deleting the data, so that the key continues to be retained in the storage system.
However, Huan does teach wherein the method further comprises: canceling a direction to delete the key, responsive to a request from the tenant to cancel deleting the data, so that the key continues to be retained in the storage system. [Huan, para. 39 discloses if the data is soft deleted as a data protection response, the data may later be recovered by the OS. When data is soft deleted, only the links to the data (e.g., files) are deleted. The data can be recovered/restored by restoring the links from a safe store. In one embodiment, the restoration of the data can be automatic, such as the next time that the user logs in with the correct password and correct password entering context. Para. 37 discloses the data may be hidden, soft deleted, or hard deleted discretely, such that the person is not even aware that the data is or was ever present on the device. Additionally, or alternatively, displayed windows may be rearranged before the person has seen the prior arrangement of the windows, an alert may be transmitted to an owner or administrator of the device without the person's knowledge, and/or other data protection responses may be performed in a discrete manner. Para. 28 discloses Context-based data protection enables a user to set up policies to protect data on devices against undesired access, such as in situations where a device has been stolen, where the device is being used against the user's will (e.g., the user has been forced to give out the device password, the device has been taken away while in active operation, etc.), and in other situations. Predefined actions are automatically executed to protect the data when a risky external context is detected so as to prevent the data from being compromised.]  
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Huan’s system with modified Huang’s system, with a motivation to define sensitive data to be protected via a content attribute, data protection that covers the data on the device for all accounts. [Huan, para. 40]

Regarding claim 17, modified Huang teaches the storage system of claim 15, but modified Huang does not teach further comprising the one or more processors to: cancel a direction to delete the key, responsive to receiving a request from the tenant to cancel deleting the data, so that the key continues to be retained in the storage system.
However, Huan does teach further comprising the one or more processors to: cancel a direction to delete the key, responsive to receiving a request from the tenant to cancel deleting the data, so that the key continues to be retained in the storage system. [Huan, para. 39 discloses if the data is soft deleted as a data protection response, the data may later be recovered by the OS. When data is soft deleted, only the links to the data (e.g., files) are deleted. The data can be recovered/restored by restoring the links from a safe store. In one embodiment, the restoration of the data can be automatic, such as the next time that the user logs in with the correct password and correct password entering context. Para. 37 discloses the data may be hidden, soft deleted, or hard deleted discretely, such that the person is not even aware that the data is or was ever present on the device. Additionally, or alternatively, displayed windows may be rearranged before the person has seen the prior arrangement of the windows, an alert may be transmitted to an owner or administrator of the device without the person's knowledge, and/or other data protection responses may be performed in a discrete manner. Para. 28 discloses Context-based data protection enables a user to set up policies to protect data on devices against undesired access, such as in situations where a device has been stolen, where the device is being used against the user's will (e.g., the user has been forced to give out the device password, the device has been taken away while in active operation, etc.), and in other situations. Predefined actions are automatically executed to protect the data when a risky external context is detected so as to prevent the data from being compromised.]  
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Huan’s system with modified Huang’s system, with a motivation to define sensitive data to be protected via a content attribute, data protection that covers the data on the device for all accounts. [Huan, para. 40]

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Phuc Pham whose telephone number is (571)272-8893.  The examiner can normally be reached on Monday - Thursday 7:30 AM - 4:30 PM; Friday 8:00 AM - 12:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/P.P./Patent Examiner, Art Unit 2434   

/DANT B SHAIFER HARRIMAN/Primary Examiner, Art Unit 2434