Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	Applicant’s Response
	In view of the Appeal Brief filed on 12/5/22, PROSECUTION IS HEREBY REOPENED. New grounds of rejections are set forth below.
To avoid abandonment of the application, appellant must exercise one of the following two options:
(1) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply under 37 CFR 1.113 (if this Office action is final); or,
(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41.31 followed by an appeal brief under 37 CFR 41.37. The previously paid notice of appeal fee and appeal brief fee can be applied to the new appeal. If, however, the appeal fees set forth in 37 CFR 41.20 have been increased since they were previously paid, then appellant must pay the difference between the increased fees and the amount previously paid.
A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by signing below:
/KAVITA STANLEY/Supervisory Patent Examiner, Art Unit 2176                                                                                                                                                                                                        
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 3/29/22, 4/28/22, 7/5/22, 7/5/22 and 12/6/22 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5-20 are rejected under 35 U.S.C. 103 as being unpatentable over Dixon et al., United States Patent Publication 2006/0253458 (hereinafter “Dixon”), in view of Shraim et al, United States Patent Publication 2005/0257261 (hereinafter “Shraim”).
Claim 1:
	Dixon discloses:
A non-transitory computer-readable medium having program code that is stored thereon, the program code executable by one or more processing devices for performing operations comprising (see paragraph [0307]): 
identifying an electronic form used to collect personal data (see paragraphs [0250]-[00251]). Dixon identifies an electronic form used to collect personal data such as an email address; 
completing and submitting the electronic form with test data (see paragraph [0150] and [0251]). Dixon teaches completing and submitting the form with test data, such as false credit card, temporary credit card, false check routing number, false ATM card, false social security number (or other false personal information), test email account, test IM account, test messaging account, or the like; and 
after completing and submitting the electronic form: 
identify (i) a processing activity that makes use of the test data and (ii) a test data storage location (see paragraphs [0250]-[0252]). Dixon teaches determining what processing activity such as if the user aggressively emails or sells the email address and determine where the information is sent; 
accessing a data model defining electronic links between a plurality of data assets and comprising a plurality of data attribute inventories (see paragraphs [0142]). Dixon teaches accessing a data model that defines links between reputation data of websites collection personal information (i.e. data assets) and reputation data defining attributes of the websites (i.e. plurality of data attribute inventories), wherein: 
each of the plurality of data assets is used in at least one of collecting or storing data (see paragraph [0152]). Dixon teaches having information about website using the personal information that is collected and stored; and 
each of the plurality of data attribute inventories is associated with a respective data asset of the plurality of data assets and comprises a plurality of fields that define inventory attributes of the respective data asset (see paragraph [0153]). Dixon teaches the inventories storing information about the websites and having a plurality of fields defining the attributes; 
identifying a first data asset of the plurality of data assets associated with the test data storage location (see paragraph [0292]). Dixon teaches identifying a first data asset/a particular website requesting personal information; and 
modifying a first data inventory of the plurality of attribute inventories associated with the first data asset in the data model to include a field defining the personal data collected by the electronic form (see paragraph [0292]). Dixon teaches modifying the attribute inventory associated with the first data asset in the data model to include a field, such as acceptable, defining the personal data collected by the form will be safe.

Dixon fails to expressly disclose analyzing computer code associated with the electronic form to identify (i) a processing activity that makes use of the test data and (ii) a test data storage location.

Shraim discloses:
completing and submitting the electronic form with test data (see paragraph [0061]). Shraim teaches the master computer can comprise an evidence database and/or a database of “safe data,” which can be used to generate and/or store bait email addresses and/or fictitious personal information for use.
analyzing computer code associated with the electronic form to identify (i) a processing activity that makes use of the test data (see paragraph [0069]) Shraim teaches analyzing code associated with the form to determine what processing activity is associated with the form such as transactions and (ii) a test data storage location (see paragraph [0061]). Shraim teaches the master computer can be configured (e.g., via a software application) to seed bait email addresses, gather and/or analyze email messages transmitted to the bait email addresses, create and/or track events, investigate URLs and/or servers, prepare reports about events, notify customers about events, and/or communicate with a monitoring center and, more particularly, with a monitoring computer within the monitoring center.

Accordingly, it would having been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by Dixon to include analyzing the code to identify the processing activity and storage location of the test data for the purpose efficiently identifying fraud including what operations are performed on the collected data and where it will be stored, as taught by Shraim. 

Claim 5:
Dixon fails to expressly disclose the test data comprises a dummy profile that comprises an e-mail address.

Shraim discloses:
the test data comprises a dummy profile that comprises an e-mail address (see paragraph [0069]). Shraim teaches an automated process that include bait email addresses, create a domain registration with a bait email address as the administrative contact, compile and/or distribute lists of bait addresses formatted to appear as a list of harvested addresses, etc. 

Accordingly, it would having been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by Dixon to include a dummy profile including an email address for the purpose efficiently identifying fraud using a dummy email address, as taught by Shraim. 

Claim 6:
	Dixon discloses:
A system comprising; a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer-readable medium, wherein, the processing device is configured to execute the instructions and thereby perform operations comprising (see paragraph [0307]): 
accessing a data model of a plurality of data assets used in at least one of collecting or storing personal data, the data model defining a plurality of electronic links between the plurality of data assets and storing a plurality of data attribute inventories (see paragraphs [0142]). Dixon teaches accessing a data model that defines links between reputation data of websites collection personal information (i.e. data assets) and reputation data defining attributes of the websites (i.e. plurality of data attribute inventories), 
wherein each data attribute inventory of the plurality of data attribute inventories is associated with a respective data asset of the plurality of data assets and comprises a plurality of fields that define inventory attributes for the respective data asset (see paragraphs [0152] and [0153]). Dixon teaches having information about website using the personal information that is collected and stored. Dixon teaches the inventories storing information about the websites and having a plurality of fields defining the attributes, wherein: 
 identifying a first data attribute inventory from the plurality of data attribute inventories, wherein the first data attribute inventory is associated with a first data asset of the plurality of data assets (see paragraph [0292]). Dixon teaches identifying the attributes and fields associated with a particular website; and 
determining, for a field of the plurality of fields of the first data attribute inventory, an attribute value for populating the field by (see paragraph [0153]):
identifying an electronic form used to collect personal data (see paragraphs [0250]-[00251]). Dixon identifies an electronic form used to collect personal data such as an email address; 
completing the identified electronic form using dummy data (see paragraph [0150] and [0251]). Dixon teaches completing and submitting the form with test data, such as false credit card, temporary credit card, false check routing number, false ATM card, false social security number (or other false personal information), test email account, test IM account, test messaging account, or the like; 
analyzing the completed electronic form to determine a processing activity that utilizes the personal data collected by the electronic form, the processing activity comprising storing the dummy data in a dummy data storage location (see paragraphs [0250]-[0252]). Dixon teaches analyzing the code to determine what processing activity such as if the user aggressively emails or sells the email address and determine where the information is sent.
determining that the first data asset is associated with the processing activity (see paragraphs [0250]-[0252]). Dixon teaches determining that particular website is associated with the processing activity of advertising or selling email addresses; and 
determining the attribute value for use in populating the at least one field based on the personal data collected by the electronic form (see paragraphs [0250]-[0252]). Dixon teaches determining the results of the reputation server based on the analyzing and monitoring the personal data such as being acceptable and not fraudulent;
in response to determining the attribute value, modifying the first data inventory to include the attribute value for the field by populating the field with the attribute value; and storing the modified first data inventory in computer memory (see paragraph [0292]). Dixon teaches modifying the attribute inventory associated with the first data asset in the data model to include a field, such as acceptable, defining the personal data collected by the form will be safe and storing the modified first data inventory in memory.

Dixon fails to expressly disclose analyzing computer code associated with the electronic form to identify (i) a processing activity that makes use of the test data and (ii) a test data storage location.

Shraim discloses:
completing the identified electronic form using dummy data (see paragraph [0061]). Shraim teaches the master computer can comprise an evidence database and/or a database of “safe data,” which can be used to generate and/or store bait email addresses and/or fictitious personal information for use.
analyzing the completed electronic form to determine a processing activity that utilizes the personal data collected by the electronic form, (see paragraph [0069]) Shraim teaches analyzing code associated with the form to determine what processing activity is associated with the form such as transactions.
the processing activity comprising storing the dummy data in a dummy data storage location (see paragraph [0061]). Shraim teaches the master computer can be configured (e.g., via a software application) to seed bait email addresses, gather and/or analyze email messages transmitted to the bait email addresses, create and/or track events, investigate URLs and/or servers, prepare reports about events, notify customers about events, and/or communicate with a monitoring center and, more particularly, with a monitoring computer within the monitoring center.

Accordingly, it would having been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by Dixon to include analyzing the code to identify the processing activity and storage location of the test data for the purpose efficiently identifying fraud including what operations are performed on the collected data and where it will be stored, as taught by Shraim. 

Claim 7:
Dixon fails to expressly disclose wherein completing the identified electronic form comprises submitting dummy data via the identified electronic form .

Shraim discloses:
wherein completing the identified electronic form comprises submitting dummy data via the identified electronic form (see paragraph [0061]). Shraim teaches the master computer can comprise an evidence database and/or a database of “safe data,” which can be used to generate and/or store bait email addresses and/or fictitious personal information for use.

Accordingly, it would having been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by Dixon to include a dummy profile including an email address for the purpose efficiently identifying fraud using a dummy email address, as taught by Shraim. 

Claim 8:
Dixon fails to expressly disclose discovering dummy data is stored on the first asset.

Shraim discloses:
wherein completing the identified electronic form comprises submitting dummy data via the identified electronic form (see paragraphs [0061]-[0063]). Shraim teaches a database of “safe data,” which can be used to generate and/or store bait email addresses and/or fictitious personal information for use.

Accordingly, it would having been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by Dixon to include a dummy profile including an email address for the purpose efficiently identifying fraud using a dummy email address, as taught by Shraim. 

Claim 9:
	Dixon discloses:
analyzing the completed electronic form to determine a processing activity that utilizes the personal data collected by the electronic form, the processing activity comprising storing the dummy data in a dummy data storage location (see paragraphs [0155] and [0292]). Dixon teaches analyzing the form to determine processing activity, monitoring access to the storage and execution of code.

Claim 10:
	Dixon discloses:
wherein the operations further comprise electronically mapping the first data asset to the processing activity that utilize the personal data collected by the electronic form (see paragraphs [0292]-[0306]). Dixon teaches the reputation information maps a website/data asset to a reputation determined by the processing activity of the personal data. 

Claim 11:
	Dixon discloses:
modifying the first data inventory comprises modifying the first data inventory to include an indication that the processing activity operates with data stored by the first data asset (see paragraphs [0292]-[0306]). Dixon teaches modifying the inventory to save the reputation data associated with the website as being acceptable and safe to enter personal data.

Claim 12:
	Dixon discloses:
wherein the electronic form comprises a webform (see paragraph [0007]). Dixon teaches a web reputation service for web content such as a web site, script, executable application, a web form, etc.

Claim 13:
	Dixon discloses:
wherein the non-transitory computer- readable medium further stores computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising linking the electronic form to the first data asset (see paragraphs [0142]). Dixon teaches defines links between reputation data of websites collection personal information of the form  and the websites.

Claim 14:
	Dixon discloses:
A method comprising (see paragraph [0307]): 
identifying, by the computing hardware, an electronic form used to collect personal data (see paragraphs [0250]-[00251]). Dixon identifies an electronic form used to collect personal data such as an email address; 
completing the electronic form, by the computing hardware, by submitting test data via the electronic form (see paragraph [0150] and [0251]). Dixon teaches completing and submitting the form with test data, such as false credit card, temporary credit card, false check routing number, false ATM card, false social security number (or other false personal information), test email account, test IM account, test messaging account, or the like; and 
after completing the electronic form, determining, by the computing hardware, a test data storage location, (see paragraphs [0142] [0250]-[0252]). Dixon teaches determining what processing activity is associated with the test data and determine where the information is sent/stored. The data assets and inventories are linked through the data model.
modifying a data inventory for the first data asset in the data model, by computing hardware, wherein modifying the data inventory (see paragraph [0292]) comprises : 
determining an attribute value for an attribute field for the data inventory based on the personal data collected by the electronic form (see paragraphs [0250]-[0252]). Dixon teaches determining the results of the reputation server based on the analyzing and monitoring the personal data such as being acceptable and not fraudulent; 
modifying the data inventory to generate a modified data inventory that comprises an indication that the processing activity utilizes the test data (see paragraph [0292]). Dixon teaches modifying the attribute inventory associated with the first data asset in the data model to include a field, such as acceptable, defining the personal data collected by the form will be safe; and 
modifying the data model to include the modified data inventory by mapping the first data asset to the processing activity that utilizes the test data (see paragraphs [0292]-[0306]). Dixon teaches the reputation information maps a website/data asset to a reputation determined by the processing activity of the personal data. 

Dixon fails to expressly disclose identifying a storage location of test data associated with the processing activity.

Shraim discloses:
completing the electronic form, by the computing hardware, by submitting test data via the electronic form (see paragraph [0061]). Shraim teaches the master computer can comprise an evidence database and/or a database of “safe data,” which can be used to generate and/or store bait email addresses and/or fictitious personal information for use.
determining, by the computing hardware, a test data storage location, wherein the test data storage location is associated with a first data asset in a data model and the first data asset is associated with a processing activity (see paragraph [0061]). Shraim teaches the master computer having a database can be configured (e.g., via a software application) to store seed bait email addresses, gather and/or analyze email messages transmitted to the bait email addresses, create and/or track events, investigate URLs and/or servers, prepare reports about events, notify customers about events, and/or communicate with a monitoring center and, more particularly, with a monitoring computer within the monitoring center.

Accordingly, it would having been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by Dixon to include to identify the processing activity and storage location of the test data for the purpose efficiently identifying fraud including what operations are performed on the collected data and where it will be stored, as taught by Shraim. 

Claim 15:
	Dixon discloses:
wherein identifying the electronic form used to collect the personal data comprises using one or more website scanning means to identify the electronic form by scanning a plurality of websites associated with an entity (see paragraphs [0142], [0147], [0150]). Dixon teaches web crawling used to scan websites to identify forms collecting personal data.

Claim 16:
	Dixon discloses:
wherein the electronic form is hosted on a particular website of the plurality of websites (see paragraph [0166]. Dixon teaches the electronic form is hosted by particular website of the plurality of websites such a store page of e-commerce websites.

Claim 17:
	Dixon discloses: 
wherein the electronic form comprises a contact form (see paragraph [0247]). Dixon teaches a contact form, requesting name, email, SSN, etc.

Claim 18:
	Dixon fails to expressly disclose monitoring the test data email addresses. 

	Shraim discloses:
the test data comprises an e-mail address; and the method further comprises monitoring an e-mail account associated with the e-mail address for a confirmation e-mail related to the completion of the electronic form (see paragraphs [0052]-[0054], [0061], [0092]-[0094]). Shraim teaches identifying an email address and fields in which a user may provide personal information and analyzing the fields to see what information was submitted. Shraim also teaches generating bait email address and monitoring those email addresses.

Accordingly, it would having been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by Dixon to include extracting test data from the email associated with the form for the purpose efficiently identifying fraud by monitoring test data, as taught by Shraim. 

Claim 19:
	Dixon fails to expressly disclose extracting test data from the confirmation email associated with the form. 

	Shraim discloses:
extracting, by the computing hardware, the test data from the confirmation e-mail associated with the electronic form (see paragraphs [0052]-[0054], [0061], [0092]-[0094]). Shraim teaches identifying fields in which a user may provide personal information and analyzing the fields to see what information was submitted. Shraim also teaches generating bait email address and monitoring those email addresses.

Accordingly, it would having been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method disclosed by Dixon to include extracting test data from the email associated with the form for the purpose efficiently identifying fraud by monitoring test data, as taught by Shraim. 

Claim 20:
	Dixon discloses:
adding, by the computing hardware, the first data asset to a third-party data repository with an electronic link to the electronic form (see paragraph [0335]). Dixon teaches the reputation data being provided for a third party and linking to the electronic form such as one-click shopping.


Response to Arguments
Applicant’s arguments, see Appeal Brief dated, filed 10/17/22, with respect to the rejection of claims 1, 5-10 under 35 USC 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new grounds of rejection are made in view of Dixon and Shraim.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TIONNA M BURKE whose telephone number is (571)270-7259. The examiner can normally be reached M-F 8a-4p.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kavita Stanley can be reached on (571) 272-8352. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TIONNA M BURKE/Examiner, Art Unit 2176                                                                                                                                                                                                        12/15/22