DETAILED ACTION

This non-final office action is in response to claims 1-17 filed March 05, 2021 for examination. Claims 1-17 are being examined and are pending. 
Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Information Disclosure Statement

The information disclosure statement filed April 18, 2022 has been placed in the application file and the information referred to therein has been considered as to the merits. 
Drawings

The drawings filed on December 23, 2020 have been accepted.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
A) There is insufficient antecedent basis for the following claim terms in the claim.
Claim 1 recites "the accessibility" in 5th limitation.
Claim 4 recites “the ability”
Claim 5 recites “the accessibility”
Claim 7 recites “the ability”
Claim 8 recites “the known” and “the input”
Claim 17 recites “the partial-keys”
Dependent claims 2-3, 6, 9-16 are also rejected based on their dependency to independent claims.
B) Claim 8 recites “a force luhn check”. It is unclear what force luhn check means.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1, 3-4 and 5-7 are rejected under 35 U.S.C. because the claimed invention is directed to an abstract idea without significantly more. 
The independent claims 1 and 5 are directed to methods of restricting access to a data owner’s record. The methods recite creating data owner record, storing record, receiving request to protect data, protecting/tokenizing data, returning data, and changing accessibility of data. 
The limitation of “storing a record, creating a data owner record’ as drafted, is nothing but a data gathering/collecting process that, under its broadest reasonable interpretation, covers performance of limitation in mind. Claim further recites “receiving a request to protect data from the data owner, protecting/tokenizing data, returning the data in a protected format to the data owner, receiving a request from the data owner to change the accessibility of the data owner's data; and changing the accessibility of the data owner's data.” A person can manually store data record in a protected file/cabinet and limit/determine the accessibility based on some criteria. These limitations as drafted, under its broadest reasonable interpretation, covers performance of limitation in mind. According to the 2019 PEG, “steps performed with the mind” includes “an observation, evaluation, judgement, or opinion”. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. The claim limitations also fall within the “Certain Methods of Organizing Human activity” grouping of abstract ideas. According to the 2019 PEG, “Certain Methods of Organizing Human activity” includes commercial or legal interactions (including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations). Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application because the claims only recite some data gathering, evaluation, and judgment steps. As discussed above, these recited steps do not impose a meaningful limit on the judicial exception, such that the claims are more than a drafting effort designed to monopolize the exception. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. 
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.
Dependent claims 3-4 and 6-7 do not cure the deficiencies set forth above.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-2 and 5 are rejected under 35 U.S.C. 102 (a)(2) as being anticipated by US 2012/0324223 A1 to Chambers et al. (“Chambers”).
Regarding claim 1, Chambers taught a computer-implemented method of restricting access to a data owner's data comprising the steps of: 
storing a record associated with a data owner (Para. 0024, 0027-0028, 0030, 0034, 0036, 0055. Social security numbers, passport numbers, license numbers account numbers, PII (i.e. records associated with a data owner) are stored in protected form); 
receiving a request to protect data from the data owner (Para. 0034, 0055. Receives sensitive data such as credit card number along with a request to protect it.); 
protecting the data (Para.0027. Encrypt the original sensitive data. Para. 0034. Generates a token to protect the sensitive data, inserts the token); 
returning the data in a protected format to the data owner (Para 0056. The token manager receives sensitive data for tokenization and returns the token to client. Para. 0059-0060. Token is a data in protected format. Para 0011. Returning to the client process a set of tokens including the primary token and the secondary token. See also Para. 0034); 
receiving a request from the data owner to change the accessibility of the data owner's data (Para.0029. Receives request to tokenize/encrypt sensitive data or, decrypt/access the sensitive data if authorize corresponds to receive request to change the accessibility of data. Para. 0035, 0047); and 
changing the accessibility of the data owner's data (Para. 0036. Decrypts and returns the original sensitive data corresponds to changing the accessibility of data. Para. 0047).  
Regarding claim 2, Chambers taught the computer-implemented method of claim 1 wherein the steps of protecting the data and returning the data in a protected format to the data owner are performed using one of the following data protection mechanisms: pseudonymization; encryption with managed key management system; encryption with hosted key management system; managed vaulted tokenization; hosted vaulted tokenization; managed vaultless tokenization; and hosted vaultless tokenization (Para. 0011, 0034, 0056).  
Regarding claim 5, Chambers taught a computer-implemented method of restricting access to a data owner's data comprising the steps of: creating a data owner record (Para. 0024, 0027-0028, 0030, 0034, 0036, 0055.); tokenizing data belonging to a data owner (Para.0027); and changing the accessibility of the data owner's data (Para. 0036, 0047). 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 3-4 and 6-7 are rejected under 35 U.S.C. 103 as being unpatentable over Chambers in view of US 2006/0178997 A1 to Schneck et al. (“Schneck”).
 Regarding claim 3, Chambers taught the computer-implemented method of claim 1 Chambers inherently taught further comprising the step of denying access (Para. 0036. Deny to access is just opposite to validate authorization and decrypt data), however the analogous art Schneck explicitly taught the step of denying access (Para. 0154. Access denial operation).
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the invention of Chambers by including the idea of  denying access as taught by Schneck for the advantage of distributing data (intellectual property) that prevents copying, restricts re-distribution of the data and provides controlled access to the data (Schneck, Para. 0044).
Claim 6 recites similar limitations to claim 3, mutatis mutandis, the subject matter of claim 11, which is therefore, also considered to be taught by Chambers-Schneck combination as above.
Regarding claim 4, Chambers-Schneck combination further taught the computer-implemented method of claim 3 wherein the step of denying access to comprises disabling the ability to view in clear text the data in a protected format (Schneck, Para. 0133, 0154, 0156).  
Regarding claim 7, Chambers-Schneck combination further taught the computer-implemented method of claim 6 wherein the step of denying access to the data owner's data comprises disabling the ability to detokenize the data owner's data (Scheneck, Para. 0133). 
 
Allowable Subject Matter
Claim 8 would be allowable if rewritten or amended to overcome the rejection(s) under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action.
The following is a statement of reasons for the indication of allowable subject matter:  None of the prior arts on the record teaches the following limitation in combination with other recited limitations:
receiving a request for tokenization from a user, the request containing a Session token, a token definition logically related to the user, and a received value, wherein the Session token includes a policy identifier logically related to the user and a unique key logically related to the user, and wherein the token definition comprises one or more of the following attributes: a unique key; a hashing algorithm; an iteration count; a token layout; Non-Provisional Application: Method for Restricting Access to a Data Owner's Data 36 a token type, one or more replacement values; a token scope: a token table version: a masked character; a force luhn check: a language; a mask layout; a maximum token length; a minimum token length; a preserve case; a preserve value type; a unique token; an attribute for what data is subject to restriction; an attribute for whether or not to allow partial restriction; an attribute defining specific conditions for restrictions; an attribute for whether or not to allow values to be replaced to a same value; and one or more flags controlling how the resulting token should be formatted; decoding and validating the Session token; appending the user key and the token key to the received value to create an input value having more than one input value character: replacing each input value character of the input value with a known character to create a replacement input value, where the known character is related within a lookup table to the input value character according to the token definition: generating a cryptographically secure hash of the replacement input value to create a derived key; substituting each character of the replacement input value with a character from one or more lookup tables to create a third input value, the one or more lookup tables being selected based on one or more of the received value, the position of the character being replaced within the replacement input value, and the derived key.  
Dependent claims 9-16 are also allowable based on dependency to allowable claim 8.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 2022/0255746 A1 (Williamson et al.): A method for securing data in a centralized environment comprising: in response to receiving a request to protect data from the client device, providing, by the central server, an encrypted security value previously provided by the client device and stored by the central server to the client device for decryption and receiving a decrypted security value from the client device in response; accessing, by the central server, a token table mapping each of a plurality of input values to a different token value; tokenizing, by the central server, the data using the token table by querying the token table with a value of a portion of the data to identify a token value mapped to the value of the portion of the data and replacing the portion of the data with the identified token value; and providing, by the server, the tokenized data to a database for storage in conjunction with tokenized data corresponding to other user accounts such that an unauthorized access to tokenized data corresponding to a first user account does not compromise tokenized data corresponding to a second user account. Claim 1.
US 2017/0060776 A1 (Shimonek et al.): [0002] Authorization techniques are useful to allow content owner(s) to specify rule(s) regarding authorizing and/or denying access to content. A token is one example of an authorization technique. The token can be employed in order to limit access (e.g., time-based) to encrypted data. The token can be provided based upon successful authentication of credential(s) presented by a client application such as a media player. The token can be provided to a key service that, upon successful verification of the provided token, returns a decryption key that can be utilized to decrypt the encrypted data. For example, the token can have claim(s) that can be validated again configuration rules stored in the key service and utilized by the key service to grant or deny access to decryption key(s).
US 2014/0122476 A1 (Kaliski et al.): A method, system, and computer-readable memory containing instructions include employing a tokenizing authority to obtain a tokenized query term that represents a query term, using the tokenized query term to perform a lookup against a tokenized term database, determining whether the tokenized query term exists in the database. The method, system, and computer-readable memory may further include returning an encryption or decryption key corresponding to an encrypted record of information associated with the query term and corresponding to the tokenized query term. Abstract.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAWNCHOY RAHMAN whose telephone number is (571)270-7471. The examiner can normally be reached Monday - Friday 8:30A-5P ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 5712723787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Shawnchoy Rahman/Primary Examiner, Art Unit 2438