DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.
Responsive to communication filed on 6 July 2022.

Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Applicant has not complied with one or more conditions for receiving the benefit of an earlier filing date under 35 U.S.C. 112(a) as follows:
The later-filed application must be an application for a patent for an invention which is also disclosed in the prior application (the parent or original nonprovisional application or provisional application). The disclosure of the invention in the parent application and in the later-filed application must be sufficient to comply with the requirements of 35 U.S.C. 112(a) or the first paragraph of pre-AIA  35 U.S.C. 112, except for the best mode requirement.  See Transco Products, Inc. v. Performance Contracting, Inc., 38 F.3d 551, 32 USPQ2d 1077 (Fed. Cir. 1994).
The disclosure of the prior-filed application, Application No. 17/342,153, fails to provide adequate support or enablement in the manner provided by 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph for one or more claims of this application. Claims 1, 8, and 1
… automatically coordinating, by the computing hardware, an audit of the updated completed template for compliance with standards; 
receiving, by the computing hardware, an audited updated completed template; calculating, by the computing hardware, a risk rating for the particular product or service based on the audited updated completed template;

These portions of the instant Specification are not disclosed in the prior-filed application.  Nowhere in the prior-filed application does the term “audited updated completed template” appear.  Although the prior-filed application discloses accessing a completed privacy template (US 2021/0342454 at ¶ 12) and conducting privacy audits (Id. at ¶ 42), there is no disclosure of an audited updated completed template.  Further, there is no disclosure of coordinating an audit for compliance with standards.  Accordingly, they do not have support under 35 U.S.C. 112(a).
Regarding claim 4, the prior-file application has no disclosure of generating, by the computing hardware, one or more tasks based on the completed template.
Regarding claim 5, the prior-file application has no disclosure of determining to request the updated version of the completed template from the vendor occurs in response to receiving, by the computing hardware, an indication that at least one of the one or more tasks has been completed.
Regarding claims 6 and 15, the prior-file application has no disclosure of determining to request the updated version of the completed template from the vendor is further based on determining that particular product or service has been revised.
Regarding claim 7, the prior-file application has no disclosure of the responsive action further comprises facilitating an electronic transfer of the audited updated completed template and the risk rating for the particular product or service to a computer system that is associated with an entity for use by the entity in a computerized assessment of at least one activity that is to be executed by the entity and includes a use of the particular product or service and the electronic transfer of the audited updated completed template to the computer systems is carried out through an online portal integrated with an instance of the computer system.
Regarding claim 12 and 17, the prior-file application has no disclosure of the vendor attribute indicates satisfaction, by the vendor, of a particular standard.
Applicant states that this application is a continuation or divisional application of the prior-filed application. A continuation or divisional application cannot include new matter. Applicant is required to delete the benefit claim or change the relationship (continuation or divisional application) to continuation-in-part because this application contains the above identified matter not disclosed in the prior-filed application.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claims 1, 8, and 1“receiving, by the computing hardware, an audited updated completed template,” which has no support in the prior-filed application (US 17/342,153).  Nowhere in the prior-filed application does the term “audited updated completed template” appear.  Although the prior-filed application discloses accessing a completed privacy template (US 2021/0342454 at ¶ 12) and conducting privacy audits (Id. at ¶ 42), there is no disclosure of an audited updated completed template.  Further, there is no disclosure of coordinating an audit for compliance with standards.  Accordingly, this claim constitutes new matter and is rejected under 35 U.S.C. 112(a). 
The claim requirements that constitute new matter should be removed or applicant is required to delete the benefit claim or change the relationship to continuation-in-part.
Claims 2-7, 9-13, and 15-20 depend on claims 1, 8, or 14; therefore, they are rejected for the same reason.
Regarding claim 4, the prior-file application has no disclosure of generating, by the computing hardware, one or more tasks based on the completed template.
Regarding claim 5, the prior-file application has no disclosure of determining to request the updated version of the completed template from the vendor occurs in response to receiving, by the computing hardware, an indication that at least one of the one or more tasks has been completed.
Regarding claims 6 and 15, the prior-file application has no disclosure of determining to request the updated version of the completed template from the vendor is further based on determining that particular product or service has been revised.
Regarding claim 7, the prior-file application has no disclosure of the responsive action further comprises facilitating an electronic transfer of the audited updated completed template and the risk rating for the particular product or service to a computer system that is associated with an entity for use by the entity in a computerized assessment of at least one activity that is to be executed by the entity and includes a use of the particular product or service and the electronic transfer of the audited updated completed template to the computer systems is carried out through an online portal integrated with an instance of the computer system.
Regarding claim 12 and 17, the prior-file application has no disclosure of the vendor attribute indicates satisfaction, by the vendor, of a particular standard.

Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention. Claim 1 requires “responsive to detecting the selection of the navigation element, initiating, by the computing hardware, the responsive action, wherein the responsive action comprises at least one of: (i) generating a second graphical user interface comprising an indication of the risk rating and transmitting a second instruction to a third-party computing device to present the second graphical user interface on the third-party computing device, (ii) generating an electronic communication comprising an indication of the risk rating and transmitting the electronic communication to the third-party computing device, or (iii) transferring the risk rating to a current or potential customer of the vendor for use in assessing a risk of using the particular product or service provided by the vendor”.  There is no original disclosure regarding a “current or potential customer”.  Claims 2-20 depend on these claim requirement or recite similar requirements; accordingly, they are rejected for the same reasons.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1, 4-6, 8, and 14-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Barday (US 2017/0287030) and further in view of Brannon et al. (US 2020/0004938).

Regarding claim 1, Barday teaches: A method comprising: 
receiving, by computing hardware, the completed template from the vendor (claim 1, “receiving, by one or more computer processors, a completed privacy template from a centralized repository of completed privacy templates, the completed privacy template comprising a plurality of question/answer pairings regarding a particular vendor”); 
receiving, by the computing hardware, the updated version of the completed template that includes updated question/answer pairings regarding the particular product or service (claim 2, “receiving, by one or more computer processors, an updated version of the completed privacy template from the centralized repository of completed privacy templates, the updated completed privacy template comprising an updated plurality of question/answer pairings regarding the particular vendor”); 
Barday does not teach, however, Brannon et al. teach: determining, by the computing hardware based on the completed template, to request an updated version of the completed template from the vendor (¶ 28, “determining, by one or more processors, based at least in part on the vendor privacy risk assessment information, to request updated vendor privacy risk assessment information for the particular vendor”);
requesting, by the computing hardware, the updated version of the completed template from the vendor (¶ 28, “in response to determining to request the updated vendor privacy risk assessment information: generating, by one or more processors, a vendor privacy risk assessment questionnaire, transmitting, by one or more processors, the vendor privacy risk assessment questionnaire to the particular vendor”); 
in response to receiving the updated completed template, automatically coordinating, by the computing hardware, an audit of the updated completed template for compliance with standards (¶ 357, “the system may also auto-detect whether any changes have been made to the policy or the location of the privacy policy link on the page and, in response to auto-detecting such changes, trigger an audit of the project”); 
receiving, by the computing hardware, an audited updated completed template (¶ 191, “the Privacy Audit Module may determine at step 655 whether it has received any indication or confirmation that the privacy audit has been completed”); 
calculating, by the computing hardware, a risk rating for the particular product or service based on the audited updated completed template (¶ 28, “calculating, by one or more processors based at least in part on the updated vendor privacy risk assessment information, an updated privacy risk score for the particular vendor”); 
generating, by the computing hardware, a graphical user interface comprising a menu for managing a computerized workflow related to the vendor (¶ 12, “generating an interface comprising a user-selectable object associated with an indication of satisfaction of the notification obligation; receiving an indication of a selection of the user-selectable object”), the menu comprising a navigation element and a display element, wherein: 
the navigation element is configured for initiating a responsive action based on the risk rating, and the display element is configured for presenting the risk rating (¶ 17, “storing, in the vendor information database, the vendor risk score for the particular vendor and the additional privacy-related information associated with the particular vendor; and presenting, by one or more processors on a graphical user interface, the vendor risk score for the particular vendor and the additional privacy-related information associated with the particular vendor”); 
transmitting, by the computing hardware, an instruction to a user computing device to present the graphical user interface on the user computing device (¶ 19, “presenting, by one or more processors on a graphical user interface: the risk score for the particular vendor”); 
detecting, by the computing hardware, selection of the navigation element (¶ 18, “detecting a selection of a user-selectable control for adding the new vendor on a second graphical user interface”); and 
responsive to detecting the selection of the navigation element, initiating, by the computing hardware, the responsive action, wherein the responsive action comprises at least one of: (i) generating a second graphical user interface comprising an indication of the risk rating and transmitting a second instruction to a third-party computing device to present the second graphical user interface on the third-party computing device (¶ 18, “responsive to detecting the selection of the user-selectable control for adding the new vendor, presenting a third graphical user interface configured to receive the vendor information associated with the particular vendor”), 
(ii) generating an electronic communication comprising an indication of the risk rating and transmitting the electronic communication to the third-party computing device, or 
(iii) transferring the risk rating to a current or potential customer of the vendor for use in assessing a risk of using the particular product or service provided by the vendor.
It would have been obvious to a person having ordinary skill in the art, at the effective filing date of the invention, to have applied the claim requirements cited above, as taught by Brannon et al., in the same way to the method for receiving updated completed templates, as taught by Barday. Both inventions are in the field of assessing vendor risks, and combining them would have predictably resulted in “retrieving data regarding a plurality of privacy campaigns, and for using that data to assess a relative risk associated with the data privacy campaign”, as indicated by Brannon et al. (¶ 2).

Regarding claim 4, Barday discloses: generating, by the computing hardware, one or more tasks based on the completed template (¶ 204, “The system may also be adapted to periodically follow up with each user with reminders until the user completes the designated tasks”).

Regarding claim 5, Brannon et al. disclose: determining to request the updated version of the completed template from the vendor occurs in response to receiving, by the computing hardware, an indication that at least one of the one or more tasks has been completed (¶ 279, “at Step 1816, at least partially in response to the first computer software application being provided with the notification that the task has been completed, the system generates an updated privacy assessment for the product that reflects the fact that the task has been completed”).

Regarding claim 6, Brannon et al. disclose: determining to request the updated version of the completed template from the vendor is further based on determining that particular product or service has been revised (¶ 279, “automatically modifying any answers from within the question/answer pairings of the initial impact privacy assessment to reflect any modifications to the product that have been made in the course of completing the one or more tasks that implement the one or more substantive recommendations”).

Claim(s) 8 and 14-15  correspond(s) to claim(s) 1 and 6, and differ(s) only in statutory category. Therefore, it/they is/are rejected for the same reasons. 

Claim(s) 2-3, 7, 9-13, and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Barday and Brannon et al., as applied above, and further in view of Barday et al. (US 2018/0182009).

Regarding claim 2, Barday et al. and Brannon et al. do not teach, however, Barday et al. teach: calculating the risk rating for the particular product or service is further based on an indication that the vendor has passed one or more vetting requirements imposed by one or more government entities (¶ 255, “the system may be configured to calculate a relatively high privacy awareness score for a vendor that has one or more contracts with one or more government entities (e.g., because an existence of such a contract may indicate that the vendor has passed one or more vetting requirements imposed by the one or more government entities).”).
It would have been obvious to a person having ordinary skill in the art, at the effective filing date of the invention, to have applied the known technique of calculating the risk rating for the particular product or service is further based on an indication that the vendor has passed one or more vetting requirements imposed by one or more government entities, as taught by Barday et al., in the same way to the method, as taught by Barday et al. and Brannon et al.. Both inventions are in the field of assessing vendor risk, and combining them would have predictably resulted in “generating, in an efficient manner, risk assessments associated with particular privacy campaigns”, as indicated by Barday et al. (¶ 2).

Regarding claim 3, Bardayand Brannon et al. do not teach, however, Barday et al. teach: the method further comprises analyzing, by the computing hardware, one or more pieces of publicly available data associated with the vendor; and calculating the risk rating for the particular product or service is further based on the one or more pieces of publicly available data (¶ 250, “analyze one or more pieces of publicly available data associated with the vendor: and (2) calculate the privacy awareness score for the vendor based on the analyzed one or more pieces of publicly available data”).
It would have been obvious to a person having ordinary skill in the art, at the effective filing date of the invention, to have applied the known technique of the method further comprises analyzing, by the computing hardware, one or more pieces of publicly available data associated with the vendor; and calculating the risk rating for the particular product or service is further based on the one or more pieces of publicly available data, as taught by Barday et al., in the same way to the method, as taught by Barday and Brannon et al.. Both inventions are in the field of assessing vendor risk, and combining them would have predictably resulted in “generating, in an efficient manner, risk assessments associated with particular privacy campaigns”, as indicated by Barday et al. (¶ 2).

Regarding claim 7, Barday and Brannon et al. do not teach, however, Barday et al. teach: the responsive action further comprises facilitating an electronic transfer of the audited updated completed template and the risk rating for the particular product or service to a computer system that is associated with an entity for use by the entity in a computerized assessment of at least one activity that is to be executed by the entity (claim 1, “the audited privacy template in computer memory; and after the audit is complete, facilitating the electronic transfer of the audited privacy template, via one or more computer networks”) and includes a use of the particular product or service and the electronic transfer of the audited updated completed template to the computer systems is carried out through an online portal integrated with an instance of the computer system (¶ 220, “the system 100 may include an online portal and community (e.g., central community portal 1800) that includes a listing of a plurality of the templates discussed above”).
It would have been obvious to a person having ordinary skill in the art, at the effective filing date of the invention, to have applied the known technique of the responsive action further comprises facilitating an electronic transfer of the audited updated completed template and the risk rating for the particular product or service to a computer system that is associated with an entity for use by the entity in a computerized assessment of at least one activity that is to be executed by the entity and includes a use of the particular product or service and the electronic transfer of the audited updated completed template to the computer systems is carried out through an online portal integrated with an instance of the computer system, as taught by Barday et al., in the same way to the method, as taught by Barday and Brannon et al.. Both inventions are in the field of assessing vendor risk, and combining them would have predictably resulted in “generating, in an efficient manner, risk assessments associated with particular privacy campaigns”, as indicated by Barday et al. (¶ 2).

Claim(s) 9 correspond(s) to claim(s) 3, and differ(s) only in statutory category. Therefore, it/they is/are rejected for the same reasons. 

Regarding claim 10, Barday et al. teach: the publicly available data comprises at least one of employee titles at the vendor, employee roles at the vendor, or available job postings for the vendor (¶ 254, “the system is configured to analyze one or more social networking sites (e.g., LinkedIn, Facebook, etc.) and/or one or more business related job sites (e.g., one or more job-posting sites, one or more corporate websites, etc.). The system may, for example, use social networking and other data to identify one or more employee titles of the vendor, one or more job roles for one or more employees of the vendor, one or more job postings for the vendor, etc”).

Regarding claim 11, Brannon et al. teach: the operations further comprise: scanning a webpage associated with the vendor to identify a vendor attribute (¶ 10, “scanning, by one or more processors, one or more webpages associated with a vendor; (B) identifying, by one or more processors, one or more vendor attributes based on the scan”); and calculating the risk rating for the particular product or service based on the vendor attribute (¶ 10, “calculating a vendor risk score based at least in part on the one or more vendor attributes”).

Regarding claim 12, Brannon et al. teach: the vendor attribute indicates satisfaction, by the vendor, of a particular standard (¶ 16, “a method for determining vendor privacy standard compliance may include analyzing the one or more documents using one or more natural language processing techniques to identify particular terms in the one or more documents”).

Regarding claim 13, Brannon et al. teach: the particular product comprises at least one of a component or a raw material (¶ 139, “Vendors may supply a component or raw material to the organization, or an outside contractor responsible for the marketing or legal work of the organization”).

Claim(s) 16-20 correspond(s) to claim(s) 2 and 10-13, and differ(s) only in statutory category. Therefore, it/they is/are rejected for the same reasons. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB D DASCOMB whose telephone number is (571)272-9993. The examiner can normally be reached M-F 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on 5712723759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JACOB D DASCOMB/Primary Examiner, Art Unit 2199