DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.
Responsive to communication filed on 13 June 2022.

Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Applicant has not complied with one or more conditions for receiving the benefit of an earlier filing date under 35 U.S.C. 112(a) as follows:
The later-filed application must be an application for a patent for an invention which is also disclosed in the prior application (the parent or original nonprovisional application or provisional application). The disclosure of the invention in the parent application and in the later-filed application must be sufficient to comply with the requirements of 35 U.S.C. 112(a) or the first paragraph of pre-AIA  35 U.S.C. 112, except for the best mode requirement.  See Transco Products, Inc. v. Performance Contracting, Inc., 38 F.3d 551, 32 USPQ2d 1077 (Fed. Cir. 1994).
The disclosure of the prior-filed application, Application No. 17/342,153, fails to provide adequate support or enablement in the manner provided by 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph for one or more claims of this application. Claims 1
receiving … a completed assessment template regarding a standard from a vendor;
…
determining … a relative risk rating for each of the plurality of question/answer pairings;

These portions of the instant Specification are not disclosed in the prior-filed application.  Nowhere in the prior-filed application does the term “completed assessment template” appear.  Although the prior-filed application discloses accessing a completed privacy template (US 2021/0342454 at ¶ 12) and conducting privacy audits (Id. at ¶ 42), there is no disclosure of a completed assessment template regarding a standard from a vendor.  Further, the only paragraph that discloses a “standard” related to a “vendor” is ¶ 62, where it is disclosed that vendor attributes may include vendor membership in one or more standard organizations.  
Additionally, there is no disclosure regarding a relative risk rating for each of a plurality question/answer pairings.  Accordingly, these claim requirements do not have support under 35 U.S.C. 112(a).
Regarding claim 3, the prior-file application has no disclosure of an online portal integrated with an instance of each computer system of the plurality of computer systems.
Regarding claim 10, the prior-file application has no disclosure of measuring a maturing of a respective entity meeting a standard.
Claims 2, 4-9, and 11-20 recite similar subject matter or depend on claims reciting the above mentioned subject matter.  Therefore, claims 1-20 do not comply with the requirements of 35 U.S.C. 112(a).
Applicant states that this application is a continuation or divisional application of the prior-filed application. A continuation or divisional application cannot include new matter. Applicant is required to delete the benefit claim or change the relationship (continuation or divisional application) to continuation-in-part because this application contains the above identified matter not disclosed in the prior-filed application.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claims 1-20 recite or depend on the above mentioned claim requirements, which amount to new matter.  Accordingly, claims 1-20 are rejected under 35 USC 112(a).
Applicant states that this application is a continuation or divisional application of the prior-filed application. A continuation or divisional application cannot include new matter. Applicant is required to delete the benefit claim or change the relationship (continuation or divisional application) to continuation-in-part because this application contains the above identified matter not disclosed in the prior-filed application.
Claim 10 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.  Claim 10 requires an initiative being conducted; however, the specification has no disclosure of conducting an initiative.
Claim 16 corresponds to claim 10; therefore, it is rejected for the same reason.

Claim Rejections - 35 USC § 101

35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
Step 2A Prong 1 (MPEP 2106.04 II. A. 1): Claim 1 recite(s): 
identifying, by the computing hardware, a weighting factor for each of the plurality of question/answer pairings; 
determining, by the computing hardware, a relative risk rating for each of the plurality of question/answer pairings; [and]
generating, by the computing hardware, a risk rating for the vendor meeting the standard based on the relative risk rating and the weighting factor for each of the plurality of question/answer pairings,
…
wherein each computer system of the plurality of computer systems is associated with a respective entity of a plurality of entities and each respective entity uses the risk rating and the completed assessment template in conducting a respective computerized assessment of a respective campaign that is associated with the respective entity meeting the standard.
 These limitations recite an abstract idea because the identifying, determining, generating, and conducting a computerized assessment, under its broadest reasonable interpretation, covers performances of the limitation in the mind but for the recitation of generic computer components.  That is, other than reciting “by computing hardware” nothing in the claim elements precludes the step from practically being performed in the mind.  For example, but for the “by computing hardware” language, identifying, determining, generating, and conducting a computerized assessment in the context of this claim encompasses a human operator identifying weighting factors by observing data on a computer monitor, determining a relative risk rating based on a mental judgement, generating a risk rating by performing calculations using pen and paper, and a human operator performing an assessment of a campaign by observing data and using mental judgments.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas.  Accordingly, the claims recite an abstract idea.
Step 2A Prong 2 (MPEP 2106.04 II. A. 2): This judicial exception is not integrated into a practical application.  In particular, the claim additionally recites “facilitating, by the computing hardware, an electronic transfer of the risk rating and the completed assessment template to a plurality of computer systems”.  
This additional recitation does not integrate the abstract idea into a practical application because it amounts to insignificant extra-solution activity of mere data gathering or transmitting (See MPEP 2106.04(d) and 2106.05(g)).  For example, obtaining information about transactions using the internet to verify credit card transactions was found to be mere data gathering which amounted to insignificant extra-solution activity (CyberSource v. Retail Decisions, Inc., 654 F.3d 1366, 1375, 99 USPQ2d 1690, 1694 (Fed. Cir. 2011)).  Further, consulting and updating an activity log was found to be insignificant extra-solution activity (Ultramercial, 772 F.3d at 715, 112 USPQ2d at 1754).
Here, the transferring the completed assessment template corresponds to the obtaining data and updating activity logs in CyberSource and Ultramercial.  Therefore, the claims do not recite additional limitations that amount to significantly more than an abstract idea.
Step 2B (MPEP 2106.05):  The claims additionally recite “receiving, by computing hardware, a completed assessment template regarding a standard from a vendor, the completed assessment template comprising a plurality of question/answer pairings comprising an identification of attributes of the vendor associated with meeting with the standard”. 
These additional elements do not amount to significantly more than the judicial exception because it amounts to mere extra solution activity of data gathering (See MPEP 2106.05(g)).  For example, obtaining information about transactions using the internet to verify credit card transactions was found to be mere data gathering which amounted to insignificant extra-solution activity (CyberSource v. Retail Decisions, Inc., 654 F.3d 1366, 1375, 99 USPQ2d 1690, 1694 (Fed. Cir. 2011)).  Further, consulting and updating an activity log was found to be insignificant extra-solution activity (Ultramercial, 772 F.3d at 715, 112 USPQ2d at 1754).
Here, the receiving, by computing hardware, a completed assessment template regarding a standard from a vendor, the completed assessment template comprising a plurality of question/answer pairings comprising an identification of attributes of the vendor associated with meeting with the standard corresponds to the obtaining data and updating activity logs in CyberSource and Ultramercial.  Therefore, the claims do not recite additional limitations that amount to significantly more than an abstract idea.
Accordingly, since the independent claims recite an abstract idea (Step 2A Prong 1), do not integrate the recited abstract idea into a practical application (Step 2A Prong 2), and do not recite additional elements that amount to significantly more than an abstract idea (Step 2B), the claims are directed toward a judicial exception (non-statutory subject matter).  Therefore, the independent claims are rejected under 35 USC 101. 
Regarding claim 2, it further refines the generation of the risk rating; however, a human operator could observe a report of a vendor passing vetting requirements and manually calculate a risk rating based on the observations.  Therefore, the subject matter recited in claim 2 is directed toward an abstract idea.
Regarding claim 3, it further refines the process of transferring the completed assessment template; however, this does not significantly deviate from the data transfer found to be insignificant extra-solution activity in CyberSource and Ultramercial.  Therefore, the claim is directed toward an abstract idea.
Regarding claim 6, a human operator could observe publicly available data and calculate an awareness rating using pen and paper.  Accordingly, it is rejected as being directed to an abstract idea without significantly more.
Regarding claim 7, a human operator could determine employee titles by observing data on a computer monitor.  Accordingly, it is rejected as being directed to an abstract idea without significantly more.
Regarding claim 8, a human operator could determine a vendor has contracts with a government entity by observing data presented on a computer monitor.  Accordingly, it is rejected as being directed to an abstract idea without significantly more.
Regarding claim 10, a human operator could measure the maturity by observing data on a computer monitor.  Accordingly, the requirements recited in claim 10 are directed to an abstract idea.
Claim(s) 9, 11-15, and 17-20 correspond(s) to claim(s) 1-8 and 10, and differ(s) primarily in statutory category. Therefore, it/they is/are rejected for the same reasons. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-3, 6-9, 11-15, 17, and 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Barday et al. (US 2018/0182009).

Regarding claim 1, Barday et al. teaches: A method comprising: 
receiving, by computing hardware, a completed assessment template regarding a standard from a vendor (¶ 138, “Once a completed template has been saved to the system's memory, a third-party compliance assessor may optionally use the completed template to conduct an audit of the vendor”), the completed assessment template comprising a plurality of question/answer pairings comprising an identification of attributes of the vendor associated with meeting with the standard (¶ 133, “in various embodiments, each template may include a respective set of questions and, optionally, corresponding answers to the questions … the answers may have been audited (e.g., by a third-party compliance assessor) to determine whether the vendor and/or the vendor's services or products (which were covered by the template's questions) comply with one or more particular privacy standards and/or laws”); 
identifying, by the computing hardware, a weighting factor for each of the plurality of question/answer pairings (¶ 52, “the module enables a customer to enter or assign relative risk levels and weight factors for both audit results and questions and answers related to the customer's implementation”); 
determining, by the computing hardware, a relative risk rating for each of the plurality of question/answer pairings (¶ 52, “the module enables a customer to enter or assign relative risk levels and weight factors for both audit results and questions and answers related to the customer's implementation”); 
generating, by the computing hardware, a risk rating for the vendor meeting the standard based on the relative risk rating and the weighting factor for each of the plurality of question/answer pairings (¶ 49, “a Risk Assessment Module may be operable to take into account Weighting Factors and Relative Risk Ratings associated with the campaign in order to calculate a numerical Risk Level associated with the campaign”); and 
facilitating, by the computing hardware, an electronic transfer of the risk rating and the completed assessment template to a plurality of computer systems, wherein each computer system of the plurality of computer systems is associated with a respective entity of a plurality of entities and each respective entity uses the risk rating and the completed assessment template in conducting a respective computerized assessment of a respective campaign that is associated with the respective entity meeting the standard (claim 1, “facilitating the electronic transfer of the audited privacy template, via one or more computer networks, to a plurality of computer systems, each computer system being associated with a different entity, for use in the different entities' respective computerized assessments of at least one respective privacy campaign, to be executed by the respective entity, that includes the use of a product or service that is the subject of the completed privacy template”).
Barday et al. does not expressly teach receiving a completed assessment template; however, Bardary et al. discloses saving a completed assessment template to a system’s memory (¶ 138).  A person having ordinary skill would have found receiving a completed assessment template obvious in view of saving a completed assessment template to a system’s memory, since saving a completed assessment template requires coming into possession of the completed assessment template at some point.  

Regarding claim 2, Barday teaches: generating the risk rating for the vendor is further based on an indication that the vendor has passed one or more vetting requirements imposed by one or more government entities (¶ 255, “the system may be configured to calculate a relatively high privacy awareness score for a vendor that has one or more contracts with one or more government entities (e.g., because an existence of such a contract may indicate that the vendor has passed one or more vetting requirements imposed by the one or more government entities).”).

Regarding claim 3, Barday teaches: the electronic transfer of the completed assessment template to the plurality of computer systems is carried out through on online portal integrated with an instance of each computer system of the plurality of computer systems (¶ 140, “The visual representations may be displayed when the customer accesses the system 100 via, for example, a central community portal for accessing privacy audit results for third-party vendor software.”).

Regarding claim 6, Barday teaches: analyzing, by computing hardware, publicly available data associated with the vendor; and generating, by the computing hardware, an awareness rating for the vendor based on the analyzed publicly available data, wherein the risk rating is further based on the awareness rating (¶ 250, “analyze one or more pieces of publicly available data associated with the vendor: and (2) calculate the privacy awareness score for the vendor based on the analyzed one or more pieces of publicly available data”).

Regarding claim 7, Barday teaches: analyzing the publicly available data comprises: determining at least one of employee titles, employee roles, or available job posts with the vendor based on analyzing at least one of a social networking website or a business related job website (¶ 119, “use social networking and other data to identify one or more employee titles of the business unit, one or more job roles for one or more employees in the group, one or more job postings for the for the business unit (e.g., group), etc”).

Regarding claim 8, Barday et al. disclose: analyzing the publicly available data comprises: determining the vendor has a plurality of contracts with a plurality of government entities (¶ 120, “the system may be configured to calculate a relatively high privacy maturity score for a group that has one or more contracts with one or more government entities (e.g., because an existence of such a contract may indicate that the group has passed one or more vetting requirements imposed by the one or more government entities)”).

Claim(s) 9, 11-15, 17, and 19-20 correspond(s) to claim(s) 1, and differ(s) only in statutory category. Therefore, it/they is/are rejected for the same reasons. 

Claim(s) 4-5 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Barday et al., as applied above, and further in view of Brannon et al. (US 2020/0004938).

Regarding claim 4, Barday et al. do not teach, however, Brannon et al. disclose: generating, by the computing hardware and based on the risk rating, a graphical user interface by configuring a navigation element on the graphical user interface (¶ 12, “generating an interface comprising a user-selectable object associated with an indication of satisfaction of the notification obligation; receiving an indication of a selection of the user-selectable object”), wherein the navigation element is configured for initiating a responsive action based on the risk rating (¶ 10, “taking one or more automated actions based on the vendor risk rating”); 
transmitting, by the computing hardware, an instruction to a user device to present the graphical user interface on the user device (¶ 19, “presenting, by one or more processors on a graphical user interface: the risk score for the particular vendor”); 
receiving, by the computing hardware, an indication of a selection of the navigation element (¶ 18, “detecting a selection of a user-selectable control for adding the new vendor on a second graphical user interface”); and 
responsive to receiving the indication, initiating, by the computing hardware, the responsive action (¶ 12, “responsive to receiving the indication of the selection of the user-selectable object, storing an indication of the satisfaction of the notification obligation”).
It would have been obvious to a person having ordinary skill in the art, at the effective filing date of the invention, to have applied the known technique of generating, by the computing hardware and based on the risk rating, a graphical user interface by configuring a navigation element on the graphical user interface, wherein the navigation element is configured for initiating a responsive action based on the risk rating; transmitting, by the computing hardware, an instruction to a user device to present the graphical user interface on the user device; receiving, by the computing hardware, an indication of a selection of the navigation element; and responsive to receiving the indication, initiating, by the computing hardware, the responsive action, as taught by Brannon et al., in the same way to the method, as taught by Barday et al.. Both inventions are in the field of assessing risk of privacy campaigns, and combining them would have predictably resulted in “retrieving data regarding a plurality of privacy campaigns, and for using that data to assess a relative risk associated with the data privacy campaign”, as indicated by Brannon et al. (¶ 2).

Regarding claim 5, Brannon et al. disclose: generating, by the computing hardware, a second graphical user interface comprising an indication of the risk rating; and transmitting, by the computing hardware, a second instruction to a third-party computing device to present the second graphical user interface on the third-party computing device (¶ 18, “responsive to detecting the selection of the user-selectable control for adding the new vendor, presenting a third graphical user interface configured to receive the vendor information associated with the particular vendor”).

Claim(s) 18 correspond(s) to claim(s) 5, and differ(s) only in statutory category. Therefore, it/they is/are rejected for the same reasons. 

Claim(s) 10 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Barday et al., as applied above, and further in view of Barday (US 2017/0357982).

Regarding claim 10, Barday et al. do not teach, however, Barday discloses: the respective campaign involves an initiative being conducted by the respective entity to meet the standard and the respective computerized assessment is configured to measure a maturity of the respective entity in meeting the standard (¶ 56, “modify one or more aspects related to one or more privacy campaigns of a particular sub-group within an organization based at least in part on the sub-group's privacy maturity. For example, the system may, in various embodiments, initiate stricter review standards or oversight for those sub-groups with relatively low privacy maturity scores”).
It would have been obvious to a person having ordinary skill in the art, at the effective filing date of the invention, to have applied the known technique of the respective campaign involves an initiative being conducted by the respective entity to meet the standard and the respective computerized assessment is configured to measure a maturity of the respective entity in meeting the standard, as taught by Barday, in the same way to the method, as taught by Barday et al.. Both inventions are in the field of assessing risk of privacy campaigns, and combining them would have predictably resulted in “determining respective privacy maturity ratings for one or more groups within an organization, and processing the relevant data”, as indicated by Barday (¶ 2).

Claim(s) 16 correspond(s) to claim(s) 10, and differ(s) only in statutory category. Therefore, it/they is/are rejected for the same reasons. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB D DASCOMB whose telephone number is (571)272-9993. The examiner can normally be reached M-F 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on 5712723759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JACOB D DASCOMB/Primary Examiner, Art Unit 2199