DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 7/17/2020. Claims 1-20 are pending.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claim 1 recites "A system for providing data access security to data stored within a data repository, the system comprising: a monitoring and cognitive analysis engine including…receive the data access rules from the cognitive analysis engine". Claim 2 recites " in response to receiving the context access token from the cognitive analysis engine". There is insufficient antecedent basis for this limitation “the cognitive analysis engine” in the claims.

Claim 2 recites "The system of claim 1, wherein the first instructions are further configured to: generate a context access token that identifies a context of the inputs," which contradicts claim 4 reciting “The system of claim 2, wherein second instructions configured to generate the context access token are further configured to…”

Claim 11 recites “A computer-implemented method for providing data access security to data stored within a data repository… in response to receiving a data request initiated at the communication platform for retrieving data from a data repository, determining whether the data request matches the access rules;” It is not clear that both “data repository” are the same or not. Please refer to claim 1 for comparison.

Claim 16 recites “a first set of codes for causing a computer processing device to… a second set of codes for causing a computer processing device to… a third set of codes for causing a computer processing device to… a fourth set of codes for causing a computer processing device to… a fifth set of codes for causing a computer processing device to”, and claim 17 recites “a sixth set of codes for causing a computer processing device to… a seventh set of codes for causing a computer processing device to” It is not clear that all these different sets of codes are causing the same “computer processing device” to perform actions or not.

Claim 19 recites "wherein the first set of codes is further configured to cause the computing processor device to". There is insufficient antecedent basis for this limitation “the computing processor device” in the claim.

Claim 20 recites "wherein the first set of codes is configured to cause the computing device processor to". There is insufficient antecedent basis for this limitation “the computing device processor” in the claim.

The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claims and have not resolved the deficiencies. Therefore, they are rejected based on the same rationale as applied to their parent claims above.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6-11, 14-16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Van Dyne (US 20170329991 A1) in view of Karia (US 20200364358 A1).

Regarding claim 1, Van Dyne teaches a system for providing data access security to data stored within a data repository, the system comprising:
a monitoring and analysis engine including a first memory and one or more first processing devices in communication with the first memory, wherein the first memory stores first instructions that are executable by the one or more first processing devices and configured to; and ([0027] FIG. 2, the service provider 102 may be implemented by one or more computing devices. The one or more computing devices may be equipped with one or more processors 202, memory 204, and/or one or more interfaces 206. The one or more processors 202, the memory 204, and/or the one or more interfaces 206 may be communicatively coupled to each other.)
monitor inputs provided at a communication platform, ([0062] FIG. 4, At 402, a computing device may receive a request from a requestor regarding handling of data.)
cognitively analyze the inputs to determine data requirements associated with the inputs, ([0062] the request may specify a particular action or type of action that will be performed with the data or has been performed with the data. An action or type of action may include accessing, storing, manipulating, sharing, publishing, analyzing, archiving, marketing, targeting, selling, destroying, transforming, and so on. Further, in some instances the request may specify an entity involved in performing the action or type of action, a data subject, etc.)
create or retrieve data access rules based on the data requirements, and ([0043] the response processing module 210 may retrieve contextual information associated with data identified in a request. The response processing module 210 may also analyze information included in a request (e.g., an action or type of action being requested, an entity involved, etc.) and/or rule logic stored in the rules logic data store 218. In some instances, the response processing module 210 may operate in cooperation with the rule logic module 214, which may access and/or evaluate rule logic. The rule logic may identify data-handling requirements that are applicable to the request.)
initiate communication of the data access rules to an access gateway; and ([0053] the service provider 102 may employ any of the modules 208-214 and/or the data stores 216-222 to implement data compliance platforms.)
the access gateway including a second memory and one or more second processing devices in communication with the second memory, wherein the second memory stores second instructions that are executable by the one or more second processing devices and configured to: ([0027] FIG. 2, the service provider 102 may be implemented by one or more computing devices. The one or more computing devices may be equipped with one or more processors 202, memory 204, and/or one or more interfaces 206. The one or more processors 202, the memory 204, and/or the one or more interfaces 206 may be communicatively coupled to each other.) Indeed, it would be obvious to make this function separable if it is desired; See MPEP 2144.04(V)(C).
receive the data access rules from the analysis engine, ([0063] At 404, the computing device may retrieve contextual information. This may include identifying metadata tags associated with the data for the contextual information, retrieving the contextual information from a data store, and so on.)
in response to receiving a data request initiated at the communication platform for retrieving data from the data repository, determine whether the data request matches the access rules, and ([0064] At 406, the computing device may determine a response to the request based on the contextual information, updated contextual information, and/or one or more data-handling requirements that are applicable to the request. The determination may additionally, or alternatively, be based on an action or type of action being taken, an entity involved in performing the action or type of action, and so on. In some instances, the updated contextual information may comprise the contextual information that is updated to reflect performance of an action or type of action in the request. The response may indicate, for example, whether or not a particular action or type of action can be performed in view of one or more data-handling requirements that are applicable to the request, a task that needs to be performed to enable a particular action or type of action to be performed with the data (e.g., transforming the data, obtaining consent/authorization for performing an action that involves the data, etc.), any action or type of action that can be performed with the data in view of one or more data-handling requirements that are applicable to the data, one or more data-handling requirements that are applicable to the data, a history of the data (e.g., based on history data included within the contextual information), and so on.)
in response to determining that the data request matches the access rules, provide rule-based access to data associated with the data request from within the data repository. ([0065] At 408, the computing device may provide the response to the requestor. This may include sending the response over a network, causing the response to be output via a User Interface (UI), and so on.)

Van Dyne teaches managing data cognitively using contextual information (¶2) and user identity information (granting or denying access to data based on credentials provided by a requestor, ¶53), but does not explicitly teach analysis engine being cognitive analysis engine. This aspect of the claim is identified as a difference.

However, Karia in an analogous art explicitly teaches cognitive analysis engine. ([0005] a system that includes one or more of a network interface configured to receive a request for access to data of a user, where the request comprises an identification of a requestor and an identification of the data, a processor configured to one or more of determine, via a cognitive engine, whether or not to provide access to the data of the user based on context associated with the user, and, in response to a determination to provide access to the data of the user, invoke chaincode which retrieves access to the data of the user from a blockchain and provides the requestor with access to the data of the user, and a storage configured to store a result of the determination by the cognitive engine via the blockchain.)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “dynamic management of data with context-based processing” concept of Van Dyne, and the “cognitive system for managing consent to user data” approach of Karia. For this combination, the motivation would have been to classify the authenticity of the access request and make a decision on what segment of data can be given access to efficiently (Karia [0084]).

Regarding claim 6, Van Dyne in view of Karia teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the communication platform is a voice or text chat communication platform, and ([Van Dyne 0032] a telecommunications carrier (e.g., AT&T®, Verizon®, etc.) may acquire voice data, text data, network traffic data, etc.)
wherein the first instructions configured to monitor are further configured to monitor by listening to the inputs, wherein the inputs are voice or text inputs provided by a calling party and a called party, and wherein the data request is received from the called party based on information provided by the calling party. ([Van Dyne 0015] In some instances, the service provider may use contextual information to respond to data-handling requests regarding data-handling of the data. A requestor [analogous to claim limitation “calling party”] (e.g., internal business area, call from an application or service, machine to machine (M2M), etc.) may send a request to the service provider [analogous to claim limitation “called party”] requesting information on how the data can be used, what needs to occur to use the data for a particular purpose, what data-handling requirements apply to the data, what should be done to address a recent use of the data, or any other question.)

Regarding claim 7, Van Dyne in view of Karia teaches all the features with respect to claim 6, as outlined above. The combination further teaches wherein the first instructions configured to cognitively analyze the inputs are further configured to cognitively analyze the voice or text inputs to determine an identity of the calling party and at least one basis for the calling party to initiate a call with the called party. ([Van Dyne 0015] A requestor [analogous to claim limitation “calling party”] (e.g., internal business area, call from an application or service, machine to machine (M2M), etc.) may send a request to the service provider [analogous to claim limitation “called party”] requesting information on how the data can be used, what needs to occur to use the data for a particular purpose, what data-handling requirements apply to the data, what should be done to address a recent use of the data, or any other question. [0053] data compliance platform may inform or act as a gatekeeper to grant or deny access to data (e.g., based on credentials that are provided by a requestor).) It would have been prima facie obvious to one of ordinary skill in the art to determine the identity/credentials of the requestor by analyzing the call between requestor and service provider.

Regarding claim 8, Van Dyne in view of Karia teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the communication platform is a mobile or web-based application, and wherein the first instructions configured to monitor are further configured to monitor the inputs provided by a user within the mobile application or web-based application. ([Van Dyne 0024] the requestor 106 may comprise any type of computing device, such as a laptop computer, a desktop computer, a server, a smart phone, an electronic reader device, a mobile handset, a personal digital assistant (PDA), a portable navigation device, a portable gaming device, a video game console, a tablet computer, a watch, a portable media player, a wearable computing device (e.g., a watch, an optical head-mounted display (OHMD), etc.), a pair of head-mounted smart glasses (e.g., mixed reality head-mounted smart glasses), a motion sensing device, a television, a computer monitor or display, a set-top box, a computer system in a vehicle, an appliance, a camera, a robot, a hologram system, a security system, a thermostat, a smoke detector, an intercom, a home media system, a lighting system, a heating, ventilation and air conditioning (HVAC) system, a home automation system, a projector, an automated teller machine (ATM), and so on. In some instances, the computing device may comprise a mobile device.) In addition, Van Dyne discloses that “A requestor (e.g., internal business area, call from an application or service [analogous to claim limitation “mobile application”], machine to machine (M2M), etc.) may send a request to the service provider requesting information on how the data can be used, what needs to occur to use the data for a particular purpose, what data-handling requirements apply to the data, what should be done to address a recent use of the data, or any other question.” (¶15)

Regarding claim 9, Van Dyne in view of Karia teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the second instructions are further configured to:
in response to determining that the access request does not match the access rules, deny access or request further authentication credentials to gain rule-based access to the data associated with the data request. ([Van Dyne 0064] At 406, the computing device may determine a response to the request based on the contextual information, updated contextual information, and/or one or more data-handling requirements that are applicable to the request. The determination may additionally, or alternatively, be based on an action or type of action being taken, an entity involved in performing the action or type of action, and so on. In some instances, the updated contextual information may comprise the contextual information that is updated to reflect performance of an action or type of action in the request. The response may indicate, for example, whether or not a particular action or type of action can be performed in view of one or more data-handling requirements that are applicable to the request, a task that needs to be performed to enable a particular action or type of action to be performed with the data (e.g., transforming the data, obtaining consent/authorization for performing an action that involves the data, etc.), any action or type of action that can be performed with the data in view of one or more data-handling requirements that are applicable to the data, one or more data-handling requirements that are applicable to the data, a history of the data (e.g., based on history data included within the contextual information), and so on.)

Regarding claim 10, Van Dyne in view of Karia teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the first instructions configured to monitor, cognitively analyze and create or retrieve access rules and further configured to continuously monitor, cognitively analyze and create and retrieve access rules throughout an entirety of a communication session. ([Van Dyne 0066- 0068] At 410, the computing device may transform the data. This may include transforming the data from one form to another form to comply with one or more data-handling requirements that are applicable to a request. At 412, the computing device may determine that an action or type of action has been performed. At 414, the computing device may update the contextual information to reflect performance of an action and/or transformation of the data.) In summary, step 410-414 shows continuously monitoring, cognitively analyzing and creating and retrieving access rules throughout an entirety of a communication session.

Regarding claims 11, 14-16 and 19-20, the scope of the claims are similar to that of claims 1, 6 and 8, respectively. Accordingly, the claims are rejected using a similar rationale.

Allowable Subject Matter
Claims 2-5, 12-13 and 17-18 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.

The following is a statement of reasons for the indication of allowable subject matter for claims 2, 12 and 17:

In interpreting the claim, in light of the specification, the examiner finds the claimed invention to be patentably distinct from the prior art of record.

Van Dyne (US 20170329991 A1) teaches contextual information surrounding the creation and/or subsequent actions associated with the data. The contextual information may be updated as the data is handled in various manners. The contextual information may be used to identify data-handling requirements that are applicable to the data. The contextual information is analyzed at any time to provide responses regarding handling of the data to requests from requestors.

Karia (US 20200364358 A1) teaches receiving a request for access to data of a user, the request comprising an identification of a requestor and an identification of the data, determining, via a cognitive engine, whether or not to provide access to the data of the user based on context associated with the user, in response to determining to provide access to the data of the user, invoking chaincode which retrieves access to the data of the user from a blockchain and provides the requestor with access to the data of the user, and storing a result of the determination by the cognitive engine via the blockchain.

Ding (US 20210084032 A1) teaches receiving, (i) an information request to an information system from a computing system that provides a natural language interface, wherein the information request is associated with a user, and (ii) a token associated with the information request; in response to receiving the information request, sending, (i) the token associated with the information request and (ii) a user data request for information from a user profile for the user; extracting, a user identifier from user profile information received in response to the user data request; identifying, a user identity for the user based on a match between the extracted user identifier and a user identifier in a user registry associated with the information system; and processing, the information request based on the identified user identity.

Jones (US 20040243824 A1) teaches authorizing the performance of actions, comprising: receiving a request to perform an action; ascertaining one or more authentication ticket requirements that are related to authorizing performance of the action; and pursuing at least one authentication ticket corresponding to at least a portion of the one or more authentication ticket requirements.


The prior art of record fails to teach or suggest, individually or in combination, each and every limitation of the claimed invention as a whole. For example, Van Dyne, Karia, Ding and Jones in combination do not disclose all the specific arrangements and functions, such as in response to receiving the context access token from the cognitive analysis engine, dynamically assemble a virtual database that only stores data that is responsive to the context of the inputs, within the context of the claimed invention as a whole, as recited in claims 2, 12 and 17.
Thus, the Examiner finds that the prior art does not provide sufficient teaching or motivation for anticipating or rendering obvious, within the claimed invention as a whole, without the usage of impermissible hindsight reasoning.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20220224685 A1, "Context-based authentication of a user", by Dhindsa, teaches that a device may receive a notification to authenticate a user associated with a user account of an application server. The device may send, to the user device, an authentication request that prompts the user to provide a contextual description of an operation associated with the user account. The device may receive, from the user device, an authentication response that includes a described characteristic of the operation that is associated with a parameter of the operation. The device may determine whether the authentication response is valid based on a comparison of the described characteristic of the operation and the parameter of the operation. The device may cause, based on a determination that the authentication response is valid, performance of the operation based on the parameter.
US 8584212 B1, "On-demand service security system and method for managing a risk of access as a condition of permitting access to the on-demand service", by Junod, teaches mechanisms and methods for managing a risk of access to an on-demand service as a condition of permitting access to the on-demand service. These mechanisms and methods for providing such management can enable embodiments to help prohibit an unauthorized user from accessing an account of an authorized user when the authorized user inadvertently loses login information. The ability of embodiments to provide such management may lead to an improved security feature for accessing on-demand services.
US 10380489 B2, "Cognitive enterprise system", by Ankisettipalli, teaches receiving a query created by a user, receiving output data of at least one function to retrieve data related to the query and analyzing the output data of the at least one function to retrieve data related to the query; generating at least one dynamic knowledge graph associated with the output data of the at least one function, wherein the at least one dynamic knowledge graph comprises data from the output data of the at least one function and indicates relationships between the data, analyzing the at least one dynamic knowledge graph to determine data relevant to the query generated by the user, and generating a response to the query based on the data relevant in the at least one dynamic knowledge graph.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HAN YANG/Examiner, Art Unit 2493