DETAILED ACTION
The present office action is responsive to the applicant’s filling an amendment on 05/17/2022. 
The application has claims 1-20 present. All the claims have been examined.
Previous objections have been withdrawn as necessitated by the claim amendments.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 2, 9, 10, 15 and 16 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Pillai et al.(US 9654510).

In regards to claims (1, 9 and 15) Pillai discloses a method comprising: generating, by a first computing device, according to a first response from a server and an output from a second computing device (see col. 6 lines 32-37:  “a network gateway… Traffic on certain ports may pass through OLP
system 120 for processing". See col 5 lines 21-24: information accessed by DLP system 120 and client system); identifying sensitive data in the first response (see col. 5 lines 65-67: Rules 136 contain information used to determine if activity sharing content should be regarded as a DLP event, and if so, what action should be taken in relation to the event); at least one rule regarding the sensitive data and at least one template for data loss prevention (DLP) responses (see col. 5 lines 65-67 and col. 7 lines 53-62: teaches rules and “after detecting a regular expression match or a keyword match, detection server 122 may build a match signature representing the incident. A match signature generated to represent a DLP event detected based on a regular expression match may include the regular expression, matching strings, and offsets between the matching strings. A match signature generated to represent a DLP event detected based on keyword match may include the matching words and offsets between each of the matching words or phrases."); determining, by the first computing device according to the at least one rule, a match to a second response from the server, that includes the sensitive data (see col. 8 lines 40-42: "In some cases, signature module 206 may compare a signature generated from content for the event to signatures stored in data store 120"); and providing, by the first computing device according to the match and the at least one template, a DLP response to redact the sensitive data of the second response, in place of a DLP output from the second computing device identifying the sensitive data in the second response. (see col. 9 lines 9-18: "Depending on the rule, action module 302 may block, quarantine, and/or log the event using event logger 304.".. “blocking content including personally identifiable information or quarantining such information”)

In regards to claims (2, 10 and 16) Pillai further discloses, wherein the sensitive data includes a class or type of content (see col. 6 lines 1-10; type of content of sensitive data).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3-8, 11-14, and 17-20  is/are rejected under 35 U.S.C. 103 as being unpatentable over Pillai et al.(US 9654510), in view of Allen et al. (US 20180276393)

In regards to claims (3, 11 and 17), Pillai doesn’t specifically teach converting, by the first computing device, the sensitive data into an identifiable user interface element, wherein the at least one rule is configured to match with the identifiable user interface element.
Allen teaches converting, by the first computing device, the sensitive data into an identifiable user interface element, wherein the at least one rule is configured to match with the identifiable user interface element (see at least para 64-65; using the rules to match and obfuscate).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to use teachings Allen with the teachings of Pillai with a reasonable expectation of success. It would have been motivated because it allows the obfuscation of sensitive data, so that unauthorized users can’t see the sensitive information (see para 3)

In regards to claims (4, 12 and 18), Pillai doesn’t specifically teach wherein the identifiable user interface element includes at least one of: a prefix, a suffix, a label, a length or number of characters of the sensitive data, a type of characters of the sensitive data, or at least one location values.
Allen teaches wherein the identifiable user interface element includes at least one of: a prefix, a suffix, a label, a length or number of characters of the sensitive data, a type of characters of the sensitive data, or at least one location values (see at least para 64-65; substituted with “safe data” label or number of character of the sensitive data or representation of type if characters).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to use teachings Allen with the teachings of Pillai with a reasonable expectation of success. It would have been motivated because it allows the obfuscation of sensitive data (see para 3)

In regards to claims (5, 13 and 19), Pillai teaches blocking the content (see col. 9 lines 9-18: "Depending on the rule, action module 302 may block, quarantine, and/or log the event using event logger 304.".. “blocking content including personally identifiable information or quarantining such information”), but doesn’t specifically mentions wherein the DLP response redacts or indicates to redact the sensitive data of the second response, according to the at least one rule 
Allen teaches wherein the DLP response redacts or indicates to redact the sensitive data of the second response, according to the at least one rule (see at least para 64-65; using the rules to match and obfuscate –redact-).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to use teachings Allen with the teachings of Pillai with a reasonable expectation of success. It would have been motivated because it allows the obfuscation of sensitive data, so that unauthorized users can’t see the sensitive information (see para 3)

In regards to claim 6, Pillai teaches comprising: determining, by the first computing device according to a first rule of the at least one rule, a complete match with a first data in the second response (see col 7 line 39 to col 9 line 18; matcher 204); determining, by the first computing device according to a second rule of the at least one rule, a complete match with a second data in the second response; and providing, by the first computing device according to the complete match with the first data, the complete match with the second match, and the at least one template (see col 7 line 39 to col 9 line 18; matcher 204 with exact matching or partial matching triggering a data loss event for any number of documents communicated and blocking data).
Pillai doesn’t specifically teach the DLP response to redact the first data and the second data of the second response.
Allen teaches the DLP response to redact the first data and the second data of the second response (see at least para 64-65; using the rules to match and obfuscate –redact-).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to use teachings Allen with the teachings of Pillai with a reasonable expectation of success. It would have been motivated because it allows the obfuscation of sensitive data, so that unauthorized users can’t see the sensitive information (see para 3)

In regards to claims (7 and 14), Pillai teaches, comprising: determining, by the first computing device according to a first rule of the at least one rule, a complete match with a first data in the second response; determining, by the first computing device according to a second rule of the at least one matching rule (see col 7 line 39 to col 9 line 18; matcher 204), an incomplete match with a second data in the second response; and providing, by the first computing device according to the complete match, the incomplete match and the at least one template, the DLP response to block the first data and to maintain the second data of the second response (see col 7 line 39 to col 9 line 18; matcher 204 with exact matching or partial matching triggering a data loss event for any number of documents communicated and blocking data and allowing certain information).
Pillai doesn’t specifically teach redact the first data 
Allen teaches teach redact the first data (see at least para 64-65; using the rules to match and obfuscate –redact- identified data and present the rest).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to use teachings Allen with the teachings of Pillai with a reasonable expectation of success. It would have been motivated because it allows the obfuscation of sensitive data, so that unauthorized users can’t see the sensitive information (see para 3)

In regards to claim 8, Pillai teaches, comprising: identifying, by the first computing device, a first template from the at least one template, that corresponds to the complete match with the first data (see col. 5 lines 65-67 and col. 7 line 39 to col 9 line 18; using a template and matcher 204 triggering a data loss event and blocking data and allowing certain information); and providing, by the first computing device according to the first template, the DLP response to block the first data and to maintain the second data of the second response (see col 7 line 39 to col 9 line 18; matcher 204 with exact matching or partial matching triggering a data loss event for any number of documents communicated and blocking data and allowing certain information)
Pillai doesn’t specifically teach redact the first data 
Allen teaches teach redact the first data (see at least para 64-65; using the rules to match and obfuscate –redact- identified data and present the rest).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to use teachings Allen with the teachings of Pillai with a reasonable expectation of success. It would have been motivated because it allows the obfuscation of sensitive data, so that unauthorized users can’t see the sensitive information (see para 3).

In regards to claim 20, Pillai teaches a method, comprising: receiving, by first computing device, first response from the server hosting a web application to display a first page of content (see col. 5 lines 45-55: "monitor web forms or file upload mechanisms.. may monitor network packets containing web form input (e.g., transmitted using HTTP, GET, POST, or multipart data). DLP system determines if the content should be flagged as a potential data loss event); identifying, by the first computing device, data of the first response that includes sensitive data; and applying, by the first computing device, a data loss event response to one subsequent response for display of a second page based on the at least one rule, the application of the data loss event trigger to prevent loss of sensitive information caused by display of the second page (col 5 lines 65-67: rules with information used to determine if activity sharing content should be regarded as a DLP event, and if so, what action should be taken in relation to the event.  Col. 7 line 39 to col 9 line 18; matcher 204 with exact matching or partial matching triggering a data loss event for any number of documents communicated and blocking data and allowing certain information).
Pillai doesn’t specifically teach generating, by the first computing device, an element displayable on the page in response to the identification of the data of the received first response, the element identifiable based on the at least one rule and includes non-sensitive data.
Allen teaches generating, by the first computing device, an element displayable on the page in response to the identification of the data of the received first response, the element identifiable based on the at least one rule and includes non-sensitive data. (see at least para 64-65; using the rules to match and obfuscate –redact- identified data and present the rest).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to use teachings Allen with the teachings of Pillai with a reasonable expectation of success. It would have been motivated because it allows the obfuscation of sensitive data, so that unauthorized users can’t see the sensitive information (see para 3).

Response to Arguments
Applicant's arguments have been fully considered but they are not persuasive.

Applicant argues, Pillai fails to disclose a first computing device generating (1) a rule regarding sensitive data and (2) a template for data loss prevention (DLP) responses, in accordance with (1) a response from a server and (2) an output from a second computing device identifying the sensitive data in the response. And “generating, by a first computing device, according to a first response from a server and an output from a second computing device identifying sensitive data in the first response, at least one rule regarding the sensitive data and at least one template for data loss prevention (DLP) responses” as recited.

Examiner respectfully disagrees. As provided on the rejection above the prior art of Pillai teaches: 
A) identifying sensitive data in the first response (On figure 1, shows the database having the rules -item 136- and in col. 5 lines 65-67 teaches “Rules 136 contain information used to determine if activity sharing content should be regarded as a DLP event, and if so, what action should be taken in relation to the event”. The data is identified); 
B) at least one rule regarding the sensitive data and at least one template for data loss prevention (DLP) responses (as mention above, teaches the rule and what to do on col. 5 lines 65-69. Right after it teaches “For example, a rule involving personally-identifiable information could define a data format used to match content (e.g., that a U.S. Social Security Number includes nine digits with a pattern of “###-##-####”). As such the rules have a templates e.g. SS template, that uses to determine what information pertains to a DLP event which is used for the DLP response as per the claim language. 
Additionally in col. 7 lines 53-62 teaches rules and “after detecting a regular expression match or a keyword match, detection server 122 may build a match signature representing the incident. A match signature generated to represent a DLP event detected based on a regular expression match may include the regular expression, matching strings, and offsets between the matching strings. A match signature generated to represent a DLP event detected based on keyword match may include the matching words and offsets between each of the matching words or phrases."); 
C) an output from a second computing device identifying the sensitive data in the response (in col. 9 lines 9-18: "Depending on the rule, action module 302 may block, quarantine, and/or log the event using event logger 304.".. “blocking content including personally identifiable information or quarantining such information”. The response logs data that identifies what was constituted as a DLP and take the appropriate action).
As such the prior art of Pillai teaches the elements as provided by the claim language and teaches “generating, by a first computing device, according to a first response from a server and an output from a second computing device identifying sensitive data in the first response, at least one rule regarding the sensitive data and at least one template for data loss prevention (DLP) responses” (col. 5 lines 65-69. Right after it teaches “For example, a rule involving personally-identifiable information could define a data format used to match content (e.g., that a U.S. Social Security Number includes nine digits with a pattern of “###-##-####”. In Col. 9 lines 9-18: After detection server 142 determines that an event is a data loss event (or a potential data loss event), information about the event, such as the signature generated for the event and data about the event (e.g., timestamps, event source, etc.) may be transferred to management server 144. Depending on the rule, action module 302 may block, quarantine, and/or log the event using event logger 304. For example, a rule which prohibits personally identifiable information from being transmitted across network 110 or to destinations in external network(s) 140 may result in action module 302 blocking content including personally identifiable information or quarantining such information in the event that transmission of personally identifiable information is allowable under limited circumstances.

Applicant further argues that the combination of prior art fails to teach “applying, by the first computing device, a data loss event response to one subsequent response for display of a second page based on the at least one rule, the application of the data loss event trigger to prevent loss of sensitive information caused by display of the second page” 
Examiner respectfully disagrees because as presented on the rejection above Pillai in col 5 lines 65-67, teaches the rules, additionally in  Col. 7 line 39 to col 9 line 18 and a further example of the matches in emails in col 10 line 25-47; matcher 204 with exact matching or partial matching triggering a data loss event for any number of documents communicated and blocking data and allowing certain information. Thus the matcher provides means to repeat the detection and rules in documents like emails and other documents which include documents having multiple pages. 
As such the prior art teaches the elements as provided by the claim language. If applicant would like to differentiate the instant application from the prior art of record, examiner suggest including language that further clarifies how the templates are used with the responses on the DLP events. 

Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MARIO M VELEZ-LOPEZ whose telephone number is (571)270-7971.  The examiner can normally be reached on M-F 9:30am-5:30pm
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Scott Baderman can be reached on 571-272-3644.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MARIO M VELEZ-LOPEZ/
Examiner, Art Unit 2144


/SCOTT T BADERMAN/Supervisory Patent Examiner, Art Unit 2144