Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

The communication received on 7/29/22 has been entered.

Response to Arguments/Amendments

Applicant's arguments have been considered but are moot in view of the new ground(s) of rejection.
However, the examiner would like to address some of applicant’s concern regarding the prior art as pertaining to the claim language.  
It appears that applicant is seeking a particular interpretation of the claim language.  Specifically, it appears that applicant suggests that the claim should be red as the that it is the user based on which the particular authentication: a single or multi-factor is selected.
However, although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993), especially since applicant’s claim language does not limit the interpretation argued interpretation but merely requires determining an authentication factor level for a user attempting to access email.  In fact, the preceding limitation: “examining … content of the email to determine an authentication factor level …”  clearly suggests that it is continent of the email that dictates the authentication type.
Perhaps, applicant attempted to clarify the argued point by amending the previously presented claims (e.g. lines 12-16 in claim 1); however, part of the intended meaning appeared to be lost by the limitation being left incomplete: “assigning, by the mail transfer agent, the authentication level to the email based [?]; and”

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as failing to set forth the subject matter which the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the applicant regards as the invention. Specifically, the limitation “assigning, by the mail transfer agent, the authentication level to the email based; and” is incomplete and it is not clear what does the limitation requires preventing a reader to establish the metes and bounds of the claimed invention. 
Additionally, the cancelled “security policy” phrase caused the second occurrence of the [security policy] lacking the antecedent basis.
Claims 2-8, 10-15 and 17-20 are rejected based on their dependencies on the independent claims including the missing limitation.

Claim Rejections - 35 USC § 103

Claim(s) 1-2, 5-9 and 16 is/are rejected under 35 U.S.C. 103 unpatentable over Thavais (USPUB 20130067546) in view of McClure (USPUB 20030208395) and further in view of Shah (EP2989770) or, in alternative Tuli (USPUB 20190012441).
As per claims 1, 5-8, Thavais teaches a method comprising: receiving, by a mail transfer agent associated with a mail server, an electronic mail (email) addressed to an email recipient (security tool 180 performs analysis of email content to ensure that sensitive or confidential information does not violate guidelines, para 139); assigning, by the mail transfer agent, 
While Thavasi addresses the concept of security policy enforcing access to data (email) by a recipient based on that requires security procedure (authentication) in order to access the data, Thavais does not expressly teach notifying the recipient regarding existence of data.  However, the concept of notifying the recipient would have been obvious in the art before the effective filling date of the invention as illustrated McClure (notify voter that the downloadable ballot has been stored on the server and is available for download, para 23). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include known solution of recipients notification as taught by McClure into Thavais’ invention given the predictable benefit of usability.
While Thavais as modified teaches notifying and authenticating the email data delivery service recipient, the difference between Thavais and applicant’s invention is that Thavais does not expressly discuss the authentication levels including the single and the multi-factor authentication required for access to content resource based on the content resource sensitivity, the multi-factor authentication being required for access to more sensitive content.  However, such solution would have been an obvious variant as illustrated by Shah (authentication based on assurance level determined by sensitivity of content.  For example, serving sensitive information (e.g. a banking service transmitting bank account information) requiring multi-factor authentication rather than just a password, para 49)) or Tuli (attempt to access a computing asset may present multiple authentication factors, which is not ordinarily required, the enhanced (multi-factor authentication) influenced by sensitivity associated with the asset, para 37).  It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include Shah’s or Tuli’s teaching into Thavais as modified invention given the predictable benefit of customization and efficiency with increased security.
As per claims 9-10, 13-16, and 18-19 a skilled in the art would readily appreciate that the computing devices offer their functionalities by a processor executing instructions stored in media. 
As per claim 2, Thavais’ agent enforcing the security policy meets the broadest reasonable interpretation of a gateway, however even if a particular name/device was specifically required, the differences between the prior art and the claimed limitation would merely amount to the nonfunctional descriptive material and are not functionally involved in the steps recited.  The enforcing security policy would be performed the same regardless of the label/device used.   Thus, this descriptive material will not distinguish the claimed invention from the prior art in terms of patentability, see In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 401, 404 (Fed. Cir. 1983); In re Lowry, 32 F.3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994).
Lastly, as per claim 20, Official Notice is taken that having at least some portion of the content is encrypted would have been old and well known in the art of electronic content communication before the effective filling date of the invention while motivating ordinary skill in the art to include such solution given the predictable benefit of security/privacy.  
Claim(s) 3, 10 and 17 is/are rejected under 35 U.S.C. 103 unpatentable over Thavais (USPUB 20130067546) in view of McClure (USPUB 20030208395) and Marimuthu (USPN 10178223), and further in view of Touve (USPUB 20110078257).
In the Thavais as modified teaches the component (agent/gateway) implementing security policy as discussed above.
As per claims 3 and 11, Thavais does not teach the gateway/security communication component being implemented on the mail server.  However, it is noted that there are essentially two different predictable choices: having the server and the component implemented together or separately, each of the choices being obvious variant of another.  However, for the purpose of the expedited prosecution, the examiner offers, Touve reference that expressly teach the security component implemented on the email server (firewall reside on email server, see para 22).  It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include known solution as taught by Touve into Thavais’ as modified invention given the benefit of customization.  Similarly, it would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include Thavais’ as modified teaching into Touve’s invention given the benefit of additional security. 
As per claim 17, although in the broadest reasonable interpretation, one could argue that the limitation are inherent (clearly by the virtue of processing email according to policy any of the Thavais’ as modified component could meet the limitation of the claimed network security device), note that implementing Touve’s security component into Thavais’ as modified invention would also/additionally meet (another interpretation of) the claimed limitation.
Claim(s) 4 and 12 is/are rejected under 35 U.S.C. 103 unpatentable over Thavais (USPUB 20130067546) in view of McClure (USPUB 20030208395) and Marimuthu (USPN 10178223), and further in view of Sell (Dan Sell, “Firewall As a Service Model for Business Subscription”, 7/16, SonicWall, found on https://blog.sonicwall.com/en-us/2016/07/firewall-service-model-business-subscription/).
In the broadest reasonable interpretation, the security component implemented performing the policy services could be interpreted as being in a form of a service. 
However, it is noted that implementing functionality as a service, including security policy as a service would have been old and well known in the art of computing (see Sell’ reference discussion regarding firewall as a service).  It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to implement component enforcing the security policy as a service given the benefit of efficiency and/or substituting known solutions would have been obvious given the predictable benefit of security.  The party implementing services would meet the limitation of a Security-as-a-Service provider.  Alternatively, it would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include Thavai’s as modified teaching into Sell’s service provided by the SAAS provider given the benefit of additional security and functionality.

Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peter Poltorak whose telephone number is (571) 272-3840.  The examiner can normally be reached Monday through Thursday from 9:00 a.m. to 5:00 p.m. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/PIOTR POLTORAK/Primary Examiner, Art Unit 2433