Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments

Applicant argues: “For instance, Dodke describes using a type of credentials (e.g. business or personal) as a factor to determine whether the application is business or personal. However, using type of credentials as a factor to determine a designation for an application teaches away from “comparing the designation of the website to the designation of the credentials to determine whether a match exists (Remarks pg. 10).”
The Examiner respectfully disagrees. The claims require comparing the designation of the website and credentials to determine whether a match exists. While Dodke does use whether credentials as personal or business as a factor to determine designation of the application, the designation of the credentials are merely one factor out of many in the determination. 
For example. Col. 9, lines 64-67, teaches an example where a threshold of over 5 would indicate a business application and below would be a personal application.
 In the situation where the business credentials are used, but all the other factors indicate personal (Col 10, lines 6-24 teaches examples of factors) and the result was less than 5, the application would be designated as personal even though business credentials were used. This mismatch would lead to a DLP policy mitigation.
Alternatively if the business credentials and all other factors indicate business application access would be allowed.
Therefore the previously cited portions of Dodke teaches the claim amendments.

Applicant argues: “At most, Jitkoff describes general use of browser extensions. Nothing in Jitkoff teaches or suggests receiving, via a browser extension, an instruction to initiate credential evaluation functions (Remarks pg. 10).”
The Examiner respectfully disagrees. Jitkoff as Applicant admits teaches browser extensions. Jitkoff also teaches credential evaluation. Paragraph [0080] teaches a browser application (i.e. browser extension)  that evaluates password data.

In response to applicant's arguments against the references individually regarding Claim 4, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-5, 7-12, 14-19, 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jitkoff (US 2015/0207800) in view of Dodke (US 10,191,908)


Regarding Claim 1,

 Jitkoff (US 2015/0207800) teaches a computing platform, comprising: at least one processor; a communication interface communicatively coupled to the at least one processor; and a memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: 
receive a request to access data via a website, the request being made via a web browser and including user credentials associated with a user requesting to access the data (Paragraph [0082] teaches the first user enter the first identity information to access the web application)(Paragraph [0080] teaches first identity information includes credentials (i.e. first login data, first password data, first cookie data)); 
receive, via a browser extension embedded in the web browser, an instruction to initiate credential evaluation functions (Paragraph [0027-0028] “extension application that is installed in the browser application”); 
initiate the credential evaluation functions based on the instruction; generate an event record associated with request to access data, the event record including a uniform resource locator (URL) of the website and the user credentials (Paragraph [0082] teaches first identity information and “uniform resource locator of the web application”); 
store the generated event record; analyze the event record to identify a designation of the website; analyze the event record to identify a designation of the credentials of the user requesting to access the data (Paragraph [0090] teaches first profile is for a website associated with personal use); 
Jitkoff does not explicitly teach compare the designation of the website to the designation of the credentials to determine whether a match exists; responsive to determining that the designation of the website matches the designation of credentials, 
provide the requested access to data; responsive to determining that the designation of the website does not match the designation of the credentials, identify one or more mitigating actions; and execute the one or more mitigating actions.
Dodke (US 10,191,908) teaches compare the designation of the website to the designation of the credentials to determine whether a match exists; responsive to determining that the designation of the website matches the designation of credentials, 
provide the requested access to data (Col. 8, lines 37-55, teaches if a user is assigned to the business group that is authorized to use a business application, access is granted)(Also see Figure 3); 
responsive to determining that the designation of the website does not match the designation of the credentials, identify one or more mitigating actions; and execute the one or more mitigating actions (Col. 8, lines 37-55, teaches if a user is not assigned to the business group that is authorized to use a business application, apply a data loss prevention policy)(Also see Figure 3);
Dodke teaches wherein the designation of the website is one of: business or personal and the designation of the credentials is one of: business or personal (Col. 10, lines 18-20, “personal or business credentials”).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Jitkoff with the matching of the designation of credentials as taught in Dodke
The motivation is to improve systems and methods for managing data loss prevention policies (Col. 1, lines 47-50 of Dodke)


Regarding Claim 2,

Jitkoff and Dodke teaches the computing platform of claim 1. Dodke teaches wherein the event record further including additional event details (Figure 4, 414, daytime factor, and associated text).

Regarding Claim 3,

Jitkoff and Dodke teaches the computing platform of claim 2. Dodke teaches wherein the additional event details include a time of the request and a date of the request (Col. 10, lines 1-5, daytime or work hours)

Regarding Claim 4,

Jitkoff and Dodke teaches the computing platform of claim 2. Dodke teaches the computing platform of claim 2, wherein analyzing the event record to identify a designation of the website is performed using machine learning (Col. 13, lines 1-9, teaches using machine learning to analyze information known to be sensitive and non-sensitive). Dodke teaches information may include additional event details (Figure 4, 5). Jitkoff teaches information may include URL (Paragraph [0082])

Regarding Claim 5,

Jitkoff and Dodke teaches the computing platform of claim 1. Dodke teaches wherein identifying one or more mitigating actions further includes: evaluating a risk associated with the website and the credentials of the user; determining a risk score associated with the risk; comparing the risk score to one or more risk score thresholds (Col. 9, lines 55-67, teaches evaluating a threshold of 5 wherein an algorithm over 5 indicates a business application and below 5 indicates a personal application)(Col. 10, lines 19-23, teaches evaluating risk using credentials of the user); 
and identifying the one or more mitigating actions based on the comparing (Col. 10, lines 14-17 teaches applying a DLP policy)


Regarding Claim 7,

Jitkoff and Dodke teaches the computing platform of claim 6. Dodke teaches wherein one or more mitigating actions include one or more of: preventing access to the data (Col. 2, lines 12-13, blocking user action), generating and displaying a notification on a user device, and generating and displaying a notification on a supervising user device.

Regarding Claims 8-12, 14,

Claims 8-12, 14,are similar in scope to Claims 1-5, 7 and are rejected for a similar rationale.

Regarding Claims 15-19, 21,

Claims 15-19, 21,are similar in scope to Claims 1-5, 7 and are rejected for a similar rationale.


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARRIS C WANG whose telephone number is (571)270-1462. The examiner can normally be reached M-F 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HARRIS C WANG/Primary Examiner, Art Unit 2439