Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Response to Amendment
The Amendment filed on September 22, 2022 has been received and entered. Claims 1, 9, 11, 15, 16 and 20 have been amended. Claims 1-20 are pending for examination. 
Rejections and/or objections not reiterated from previous office actions are hereby withdrawn.  The following rejections and/or objections are either reiterated or newly applied.  They constitute the complete set presently being applied to the instant application.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 9/08/2022 has been considered by the examiner.  Please see attached PTO-1449.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 5, 11, 12, 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Dionne (U.S. Pat. No. 9,009,078) in view of Allen et al. (U.S. Pat. Pub. 2007/0100829).

Referring to claim 1, Dionne teaches a method comprising: 
configuring, based on one or more security policies for sensitive data (Various approaches can be used to lock the digital content on the CD. For example, the digital content can be only partially locked so that a user can put the CD in the drive and 25 the CD will generate thumbnails of the pages for display on the user's monitor, see Dionne, Col. 6, lines 22-27), a locked dataset in a storage system  (the locked digital content 31 is locally stored such as on a CD or remotely stored such as on a web site on the Internet, see Dionne, Col. 4, lines 41-44), 
associating one or more authorization policies with the locked dataset (The process generates 138 the test from the selected test type and sends 140 the user a web page or the like that includes the test and a field for the user to enter an answer to test, see Dionne, Col. 8, lines 8-11); and 
determining, based on at least the one or more authorization policies (The process generates 138 the test from the selected test type and sends 140 the user a web page or the like that includes the test and a field for the user to enter an answer to test. The user answers the test and sends the answer back to the web site, see Dionne, Col. 8, lines 8-13), whether to permit a user to unlock the locked dataset (The process 130 evaluates 142 the answer supplied by the user to see if the answer was correct. If the test was answered correctly, the process 130 unlocks 144 the digital content on the web site,… If the user answered incorrectly, an error message can be returned 148, see Dionne, Col. 8, lines 13-20).
However, Dionne does not explicitly teach a lock on the locked dataset restricts replication of the locked dataset, wherein the authorization policies specify which roles have specified authorization.
Allen et al. teaches a lock on the locked dataset restricts replication of the locked dataset (the security information may restrict or permit only certain actions such as accessing, viewing, copying, modifying, publishing and/or deleting data sets, see Allen et al., Para. 26. Content or content groups may be fully locked within a course, preventing unauthorized editing, moving, hiding, publication, deletion, or copying… Locking controls may be in addition to rights and permissions granted through role assignments…permissions rules still govern content editing within the CMS to prevent unauthorized content alterations, see Allen et al., Para. 48), wherein the authorization policies specify which roles have specified authorization (Varying levels of access may be granted users based on various user role types and user rights, see Allen et al., Para. 13).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method of Dionne, to have a lock on the locked dataset restricts replication of the locked dataset, wherein the authorization policies specify which roles have specified authorization, as taught by Allen et al., to provide an efficient system and method to author, develop, control, organize, distribute, lock, update, reuse, and/or re-purpose educational content across courses and organizations (Allen et al., Para. 3).

As to claim 5. Dionne as modified teaches in response to a request to replicate the locked dataset (Upon receiving 42 an input to open a file with locked digital content, see Dionne, Col. 4, lines 63-64), determining whether to permit (The process 130 evaluates 142 the answer supplied by the user to see if the answer was correct. If the test was answered correctly, the process 130 unlocks 144 the digital content on the web site,… If the user answered incorrectly, an error message can be returned 148, see Dionne, Col. 8, lines 13-20) replication of the locked dataset (the security information may restrict or permit only certain actions such as accessing, viewing, copying, modifying, publishing and/or deleting data sets, see Allen et al., Para. 26).

Referring to claim 11, Dionne teaches an apparatus comprising a computer processor, a computer memory (In addition to the CPU 14, the system includes main memory, see Dionne, Col. 4, lines 5-6) operatively coupled to the computer processor, the computer memory having disposed within it computer program instructions that, when executed by the computer processor, cause the apparatus to carry out the steps, which recites the corresponding limitations as set forth in claim 1 above; therefore, it is rejected under the same subject matter.

Claim 12 is rejected under the same rationale as stated in the claim 5 rejection.

Referring to claim 16, Dionne teaches a computer program product disposed on a computer readable medium (memory, see Dionne, Col. 4, line 5), the computer program product including computer program instructions that, when executed, carry out the steps , which recites the corresponding limitations as set forth in claim 1 above; therefore, it is rejected under the same subject matter.

Claim 17 is rejected under the same rationale as stated in the claim 5 rejection.

Claims 2 and 3 are rejected under 35 U.S.C. 103 as being unpatentable over Dionne (U.S. Pat. No. 9,009,078) in view of Allen et al. (U.S. Pat. Pub. 2007/0100829) as applied to claims 1, 5, 11, 12, 16 and 17 above, and in further view of Jewell et al. (U.S. Pat. Pub. 2018/0150477).

As to claim 2, Dionne as modified teaches the lock prevents replication of the locked dataset (the security information may restrict or permit only certain actions such as accessing, viewing, copying, modifying, publishing and/or deleting data sets, see Allen et al., Para. 26. Content or content groups may be fully locked within a course, preventing unauthorized editing, moving, hiding, publication, deletion, or copying… Locking controls may be in addition to rights and permissions granted through role assignments…permissions rules still govern content editing within the CMS to prevent unauthorized content alterations, see Allen et al., Para. 48). 
However, Dionne as modified does not explicitly teach replication of the dataset from the storage system to a different storage system.
Jewell et al. teaches replication of the dataset from the storage system to a different storage system (To access such content users typically use a user interface (UI) to interface with a content management server of the content management system. They reserve ( or "check out") the content and download it locally on their computer (e.g., referred to as a client), see Jewell et al., Para. 6).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method of Dionne as modified, to have replication of the dataset from the storage system to a different storage system, as taught by Jewell et al., to reduce network usage (Jewell et al., Para. 50).

As to claim 3, Dionne as modified teaches  lock prevents replication of the locked dataset (the security information may restrict or permit only certain actions such as accessing, viewing, copying, modifying, publishing and/or deleting data sets, see Allen et al., Para. 26. Content or content groups may be fully locked within a course, preventing unauthorized editing, moving, hiding, publication, deletion, or copying… Locking controls may be in addition to rights and permissions granted through role assignments…permissions rules still govern content editing within the CMS to prevent unauthorized content alterations, see Allen et al., Para. 48).
However, Dionne as modified does not explicitly teach wherein storage system is a production environment storage system; and replication the dataset from the production environment storage system to a non-production environment storage system.
Jewell et al. teaches wherein storage system is a production environment storage system (a content management server 102 executing a content management module 104 to manage data resources (files, folders or other discrete sets of data) stored in data store 110, which may include one or more file systems, databases or other data stores to store managed items, see Jewell et al., Para. 36); and replication the dataset from the production environment storage system to a non-production environment storage system (To access such content users typically use a user interface (UI) to interface with a content management server of the content management system. They reserve ( or "check out") the content and download it locally on their computer (e.g., referred to as a client), see Jewell et al., Para. 6).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method of Dionne as modified, to have storage system is a production environment storage system; and replication the dataset from the production environment storage system to a non-production environment storage system, as taught by Jewell et al., to reduce network usage (Jewell et al., Para. 50).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Dionne (U.S. Pat. No. 9,009,078) in view of Allen et al. (U.S. Pat. Pub. 2007/0100829) as applied to claims 1, 5, 11, 12, 16 and 17 above, and in further view of Castellanos et al. (U.S. Pat. Pub. 2008/0270370).

As to claim 6, Dionne as modified does not explicitly teach replication of a desensitized version of the locked dataset is permitted, in accordance with the one or more security policies, after sensitive data has been desensitized.
Castellanos et al. teaches replication of a desensitized version of the locked dataset is permitted, in accordance with the one or more security policies, after sensitive data has been desensitized (desensitization of the selected sensitive data into desensitized data, see Castellanos et al., Para. 74, the desensitized data is exported to a desensitized database such that the desensitized database replicates a table structure of the database that the sensitive data was accessed from, see Castellanos et al., Para. 78. In addition to teaching of limitation “determining, in dependence upon at least the one or more authorization policies, whether to permit a user to unlock the locked dataset” in claim 1).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method of Dionne as modified, to have replication of the dataset from the storage system to a different storage system, as taught by Castellanos et al., to secure sensitive information (Castellanos et al., Para. 5).

Claims 4, 7-9, 13-15 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Dionne (U.S. Pat. No. 9,009,078) in view of Allen et al. (U.S. Pat. Pub. 2007/0100829) as applied to claims 1, 5, 11, 12, 16 and 17 above, and in further view of Dreyfus (U.S. Pat. No. 9,990,511).

As to claim 4, Dionne as modified does not explicitly teach the lock restricts restoration of the locked dataset to a previous version of the locked dataset.
Dreyfus teaches the lock restricts restoration of the locked dataset to a previous version of the locked dataset (endpoint system decrypts the trusted backup copy using the trusted decryption key… endpoint system replaces files encrypted by the malicious application with decrypted files obtained from the trusted backup copy. By restoring encrypted files with decrypted files from a backup copy generated, Dreyfus, Col. 9, lines 56-66. The restoration can be done by endpoint system but not others, so it is restricted an it is restricted to all the restoration).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method of Dionne as modified, to have the lock restricts restoration of the locked dataset to a previous version of the locked dataset, as taught by Dreyfus, to prevent data loss from encryption  attacks (Dreyfus, Col. 1, lines 10-11).

As to claim 7, Dionne as modified teaches a lock on the locked snapshot restricts replication of the locked snapshot (the security information may restrict or permit only certain actions such as accessing, viewing, copying, modifying, publishing and/or deleting data sets, see Allen et al., Para. 26. Content or content groups may be fully locked within a course, preventing unauthorized editing, moving, hiding, publication, deletion, or copying… Locking controls may be in addition to rights and permissions granted through role assignments…permissions rules still govern content editing within the CMS to prevent unauthorized content alterations, see Allen et al., Para. 48).
However, Dionne as modified does not explicitly teach creating a locked snapshot of the locked dataset.
Dreyfus teaches creating a locked (endpoint system 122 may create a protected directory on file system 124 in which endpoint system 122 saves the encrypted backup. The protected directory may allow write access only by endpoint monitor 122 and either allow other applications to only read the protected directory or block all access to the protected directory by applications other than endpoint monitor 122, Dreyfus, Col. 6, lines 11-17) snapshot of the locked dataset (creates an encrypted backup copy, see Dreyfus, Col. 1, line 67).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method of Dionne as modified, to have creating a locked snapshot of the locked dataset, as taught by Dreyfus, to prevent data loss from encryption  attacks (Dreyfus, Col. 1, lines 10-11).

As to claim 8, Dionne as modified teaches the lock on the locked snapshot further restricts restoration of the locked snapshot (endpoint system decrypts the trusted backup copy using the trusted decryption key… endpoint system replaces files encrypted by the malicious application with decrypted files obtained from the trusted backup copy. By restoring encrypted files with decrypted files from a backup copy generated, Dreyfus, Col. 9, lines 56-66. The restoration can be done by endpoint system but not others, so it is restricted).

As to claim 9, Dionne as modified teaches in response to a request to restore the locked snapshot (restoring files from an encrypted backup copy in response to detecting encryption operations by a malicious operation, Dreyfus, Col. 2, lines 36-38), determining, based on the one or more authorization policies, whether to permit (The process generates 138 the test from the selected test type and sends 140 the user a web page or the like that includes the test and a field for the user to enter an answer to test. The user answers the test and sends the answer back to the web site. The process 130 evaluates 142 the answer supplied by the user to see if the answer was correct. If the test was answered correctly, the process 130 unlocks 144 the digital content on the web site,… If the user answered incorrectly, an error message can be returned 148, see Dionne, Col. 8, lines 8-20) a user to restore the locked snapshot (restoring files from an encrypted backup copy in response to detecting encryption operations by a malicious operation, Dreyfus, Col. 2, lines 36-38).

Claim 13 is rejected under the same rationale as stated in the claim 7 rejection.

Claim 14 is rejected under the same rationale as stated in the claim 8 rejection.

Claim 15 is rejected under the same rationale as stated in the claim 9 rejection.

Claim 18 is rejected under the same rationale as stated in the claim 7 rejection.

Claim 19 is rejected under the same rationale as stated in the claim 8 rejection.

Claim 20 is rejected under the same rationale as stated in the claim 9 rejection.

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Dionne (U.S. Pat. No. 9,009,078) in view of Allen et al. (U.S. Pat. Pub. 2007/0100829) as applied to claims 1, 5, 11, 12, 16 and 17 above, and in further view of O'Byrne (U.S. Pat. pub. 2013/0054650).

As to claim 10,  Dionne as modified does not explicitly teach identifying, in the storage system, a dataset to lock in accordance with the one or more security policies for sensitive data.
However, O'Byrne teaches identifying, in the storage system, a dataset to lock in accordance with the one or more security policies for sensitive data (At decision block 240, it is determined if there are column obfuscation patterns within the column names of the database schema. Column obfuscation patterns within the column names are patterns that may define a column content to be sensitive data. For example, if the column name is "SSN", then the content is considered to be social security numbers, which is typically sensitive data, see O'Byrne, Para. 16).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method of Dionne as modified, to have identifying, in the storage system, a dataset to lock in accordance with the one or more security policies for sensitive data, as taught by O'Byrne, to avoid time consuming operation (O'Byrne, Para. 2).

Response to Argument
	Applicant’s remarks filed on 9/22/2022 with respect to claims 1, 11 and 16 have been considered but they moot in view of the new ground(s) of rejection. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAU SHYA MENG whose telephone number is (571)270-1634. The examiner can normally be reached 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Fred Ehichioya can be reached on 571-272-4034. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/JAU SHYA MENG/             Primary Examiner, Art Unit 2168