DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This office action is in response to applicant’s amendment filed on 09/01/2022.
	Claims 1-5, 7-8, 11, 13-14, 17 and 19-20 are pending and examined.
Claims 6, 9, 10, 12, 15, 16 and 18 have been cancelled.
	
Response to Arguments
Applicant’s arguments filed on 09/01/2022 have been fully considered but they are not persuasive.
Applicant argued that the cited prior art do not teach the new limitations of “providing, by the computing hardware, the response to an external system; determining, by the computing hardware and based on information received from the external system, that the data subject exists, wherein the information is based on an accuracy of the response provided by the requestor”. The examiner respectfully disagrees. Ayed suggests the above (paragraphs [0327][0328][0340]-[0346]; a multi-factor authentication method for gaining access to an application, after a user’s password is validated (first factor), providing more authentication questions (more factors) to validate the requester; the system receives a request to perform biometric authentication from the interface, the interface may output a challenge question, the question could include asking the user’s city, birthday, age, or requesting the user to enter something (a response) only the user knows; the system for authentication sends the sample of biometric information to a remote server (an external system) for authentication; after the user is authenticated (it implies the user/data subject exists; the biometric information entered by user matches (100% accuracy) the biometric information stored in the remote server), the user is granted access to the application).
The examiner is available for a phone interview with applicant.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 8, 13, 14 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chin et al. (US PGPUB 2010/0161973) hereinafter Chin, in view of Ayed (US PGPUB 2012/0019379), in view of Goertzen (US PGPUB 2014/0143844).

Per claim 1, Chin discloses “a method comprising: receiving a data subject access request to access data for a data subject from a requestor” (Fig. 4; paragraphs [0002][0003][0045]; a user logins to access information on the user’s account (data subject access request); a login request may include a user name and password (characteristic for the data subject)); “responsive to the requestor is the data subject, sending a first electronic correspondence to the requestor, wherein the first electronic correspondence comprises an authentication token; and sending a second electronic correspondence to the requestor, wherein the second electronic correspondence comprises a link that the requestor may select to gain access to the data” (Figs. 3, 4; paragraphs [0018]-[0020][0042]-[0045]; after determining login is successful, a server generates an authentication token and provides it to the requester (first electronic correspondence); the server also provides a content page code to the requester; upon receiving subsequent input from a user, the browser application may send a new content request to the server; the server provides the requested content (second electronic correspondence) to the browser, the browser displays the new content page code; the requester can click on a link on the content page to request and retrieve more content from the user account, the request includes the authentication token).
Chin discloses validating user login information, but does not explicitly teach “responsive to receiving the data subject data access request, providing by computing hardware a plurality of knowledge-based authentication questions configured to validate the requestor as the data subject; receiving a response to at least one of the plurality of knowledge-based authentication questions from the requestor; providing, by the computing hardware, the response to an external system; determining, by the computing hardware and based on information received from the external system, that the data subject exists, wherein the information is based on an accuracy of the response provided by the requestor; determining whether the requestor is the data subject based at least in part on the response provided by the requestor to the at least one of the plurality of knowledge-based authentication questions being correct”. However, Ayed suggests the above (Fig. 17; paragraphs [0327][0328][0340]-[0346]; a multi-factor authentication method for gaining access to an application, after a user’s password is validated (first factor), providing more authentication questions (more factors) to validate the requester; the system receives a request to perform biometric authentication from the interface, the interface may output a challenge question, the question could include asking the user’s city, birthday, age, or requesting the user to enter something (a response) only the user knows; the system for authentication sends the sample of biometric information to a remote server (an external system) for authentication; after the user is authenticated (it implies the user/data subject exists; the biometric information entered by user matches (100% accuracy) the biometric information stored in the remote server), the user is granted access to the application; thus, the user is validated as the data subject based on answering correct authentication questions (questions only the data subject can answer)). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Chin and Ayed to utilize a multi-factored authentication method in Ayed (asking additional authentication questions after validating the user’s name and password) to grant the user access to user account information, as the multi-factored authentication method is more secure than the single factored authentication commonly used.

Per claim 2, Chin further suggests “wherein the link is configured to open a graphical user interface to gain access to the data, and the graphical user interface is configured to request the requestor to provide the authentication token to access the data” (Figs. 3, 4; paragraphs [0018]-[0020][0042]-[0045]; the server also provides a content page code to the requester; a browser (user interface) displays the content page code; the requester can click on a link on the content page to request and retrieve content from the user account, the browser would display the requested content; the user clicking on the link would result in the authentication token automatically be sent to the server; it would have been obvious that the browser can prompt a user whether or not to send the authentication token to the server, as this gives the user more flexibility and control over the authentication process).

Per claim 3, Chin further suggests “wherein the graphical user interface comprises a website that is accessible via the link through a browser executing on a computing device being used by the requestor” (Figs. 3, 4; paragraphs [0018]-[0020][0042]-[0045]; the server also provides a content page code to the requester; a browser (user interface) displays the content page code (web page); the requester can click on a link on the content page to request and retrieve content from the user account, the browser would display the requested content).

Per claim 4, Chin further suggests “generating by computing hardware a unique identifier for the data subject access request; and providing the unique identifier to the requestor, wherein the graphical user interface requests the requestor to provide the unique identifier along with the authentication token to access the data” (paragraphs [0047][0048]; the server generates a unique user login identifier, the user login identifier may be associated with the user's session and is valid for the length of the session, the user login identifier information is included in the authentication token (which also includes additional information) and to be used in the authentication process; therefore, when the authentication token is utilized to access user data, the user login identifier information is also being utilized to access user data).

Per claim 5, Ayed further suggests “wherein providing the plurality of knowledge-based authentication questions comprises providing the plurality of knowledge-based authentication questions for display on a graphical user interface so that the requestor can provide the response to the at least one of the plurality of knowledge-based authentication questions” (paragraphs [0340]-[0343][0346][0358]; a multi-factor authentication method for gaining access to an application, after a user’s password is validated (first factor), providing more authentication questions (more factors) to validate the requester, questions include asking the user’s city, birthday, age, or requesting the user to enter something (a response) only the user knows; questions are asked through a display).

Per claim 8, Chin discloses “A system comprising: a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer-readable medium, wherein, the processing device is configured to execute the instructions and thereby perform operations comprising” (Fig. 2) “receiving a data subject access request to access personal data from a requestor” (Fig. 4; paragraphs [0002][0003][0045]; a user logins to access information on the user’s account (data subject access request)); “responsive to determining the requestor is the data subject: providing an authentication token to the requestor through a first electronic correspondence; and providing a link to the requestor through a second electronic correspondence, wherein the link is configured to be selected by the requestor to gain access to the personal data” (Figs. 3, 4; paragraphs [0018]-[0020][0042]-[0045]; after determining login is successful, a server generates an authentication token and provides it to the requester (first electronic correspondence); the server also provides a content page code to the requester; upon receiving subsequent input from a user, the browser application may send a new content request to the server; the server provides the requested content (second electronic correspondence) to the browser, the browser displays the content page code; the requester can click on a link on the content page to request and retrieve more content from the user account).
Chin discloses validating user login information, but does not explicitly teach “responsive to receiving the data subject access request, providing a knowledge-based authentication question for display via a graphical user interface to the requestor, the knowledge-based authentication question configured to validate the requestor as a data subject associated with the personal data; requesting a response to the knowledge-based authentication question from the requestor through the graphical user interface; receiving the response to the knowledge-based authentication question from the requestor; providing, by the computing hardware, the response to an external system; determining, by the computing hardware and based on information received from the external system, that the data subject exists, wherein the information is based on an accuracy of the response provided by the requestor; determining the requestor is the data subject based at least in part on the response provided by the requestor to the knowledge-based authentication question being correct; and”. However, Ayed suggests the above (Fig. 17; paragraphs [0327][0328][0340]-[0346]; a multi-factor authentication method for gaining access to an application, after a user’s password is validated (first factor), providing more authentication questions (more factors) to validate the requester; the system receives a request to perform biometric authentication from the interface, the interface (GUI) may output a challenge question, the question could include asking the user’s city, birthday, age, or requesting the user to enter something (a response) only the user knows; the system for authentication sends the sample of biometric information to a remote server (an external system) for authentication; after the user is authenticated (it implies the user/data subject exists; the biometric information entered by user matches (100% accuracy) the biometric information stored in the remote server), the user is granted access to the application; thus, the user is validated as the data subject based on answering correct authentication questions (questions only the data subject can answer)).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Chin and Ayed to utilize a multi-factored authentication method in Ayed (asking additional authentication questions after validating the user’s name and password) to grant the user access to user account information, as the multi-factored authentication method is more secure than the single factored authentication commonly used.

Per claim 13, Ayed further suggests “receiving an image of an identifying document via the graphical user interface, in which determining whether the requestor is the data subject is also based at least in part on the image of the identifying document” (paragraphs [0340]-[0343][0320][0315]; a multi-factor authentication method for gaining access to an application, after a user’s password is validated (first factor), providing more authentication questions (more factors) to validate the requester, including asking a user to scan and capture an image of a hand to authenticate the user, or a user is asked to enter the user’s signature (an image) to authenticate the user).

Claim 14 is rejected under similar rationales as claim 8.
Claim 19 is rejected under similar rationales as claim 13.
Claim 20 is rejected under similar rationales as claim 1.

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Chin, in view of Ayed and in view of Grigg et al. (US PGPUB 2016/0248781) hereinafter Grigg.

Per claim 7, Chin does not teach “identifying a type for the data subject access request; and determining by the computing hardware, based at least in part on the type, a number of the plurality of knowledge-based authentication questions required to be answered with a correct response to validate the requestor as the data subject”. However, Grigg suggests the above (Fig. 1C,
paragraphs [0003][0022][0023][0051]; a banking application to allow a user to perform various functions with respect to the user's account with the bank; a user-selected preference to allow a user different levels of access to an application; a user can request for accessing a particular access level of the application, each access level requires a specified type of authentication; a higher level of application access provides more functionalities and requires a higher level of authentication; thus, if a user requests a second type of data subject access (such as reading bank account information), it requires a user name and a password (a second type of authentication); if a user requests a third type of data subject access (moving money between accounts, modify bank account information), it requires a username, a password and a challenge question (a third type of authentication)). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Chin, Ayed and Grigg to allow a user to set preferences for different types of authentication methods for different types of data subject access request (higher level of access requires answering more questions); this would provide a more customized authentication model for the banking application, and a better security for the banking application (a higher level authentication for a higher level of functionality)); to meet the need for personalizing the authentication process (Grigg, paragraph [0002]) and for a better security for the banking application (a higher level authentication for a higher level of functionality).

Claims 11 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Chin, in view of Ayed, and in view of Goertzen (US PGPUB 2014/0143844).

Per claim 11, Chin further suggests “wherein the link is configured to open a second graphical user interface to gain access to the personal data” (Figs. 3, 4; paragraphs [0018]-[0020][0042]-[0045]; a user logins to access information on the user’s account; the server also provides a content page code to the requester; a browser (user interface) displays the content page code; the requester can click on a link on the content page to request and retrieve content from the user account, the browser would display in a window (second graphical user interface) content from the clicked link). Chin does not explicitly teach “the second graphical user interface is configured to request the requestor to enter the authentication token into the second graphical user interface to access the personal data”. However, Goertzen further suggests the above (claim 1, paragraph [0071]; a method for allowing access to resource; a user to enter the computed token (textual entry) into the (second) user interface; causing the system to compare user’s input with at least one corresponding token generated by the authentication system; and selectively providing access by the user to said resource for said session in conformity with a matching result of said comparing). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Chin, Ayed and Goertzen to grant user access to data subject by a prompting a user to enter a textual entry and comparing the user’s input an authentication token, a such improved token system provides a better security to an authentication system (Goertzen, paragraphs [0007][0008]).

Claim 17 is rejected under similar rationales as claim 11.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HANG PAN whose telephone number is (571)270-7667. The examiner can normally be reached 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do can be reached on 571-272-3721. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HANG PAN/Primary Examiner, Art Unit 2193