DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/26/2025 has been entered.
Response to Amendment / Arguments
Regarding claims objected to for minor informalities:
Applicant’s amendment has overcome the applied objection. As such, the objection has been withdrawn.
Regarding claims rejected under 35 USC 112(b):
Applicant’s amendment has overcome the applied rejection. As such, the rejection has been withdrawn.
Regarding claims rejected under 35 USC 112(a):
Applicant's arguments have been fully considered but they are not persuasive.
Applicant cites to portions of the specification and argues that “When read together, these disclosures describe a networked cyber-security system that integrates with remote servers and automates account closure and global value changes across multiple accounts simultaneously. One skilled in the art would understand that automating account closure and globally changing values across multiple networked accounts simultaneously requires the system to communicate instructions to the remote servers hosting those accounts. The specification's description of simultaneous global changes across discovered accounts, combined with the system's integration with remote networked services, reasonably conveys that the system communicates instructions to remote servers to cause the described operations.” Specifically, Applicant cites to [64], [28]-[29], [23], [51], [85], and [102].
However, the cited portions and the specification are silent as to the actual remote servers performing the changes. The cited portions and the specification are further silent as to the definition of “an account closing process.” For instance, [64] states that “cyber-security system 201 may integrate with one or more services (such as social media websites, banking websites, etc.) which may inform the cyber-security system 201 whether the identifying information corresponds to an account on each service,” where the integration is only particularly associated with determining user accounts rather than the other way around where the cyber-security system sends account closure / change instructions to the servers. Likewise, [28]-[29] merely state that “the cyber- security device 100 may communicate with one or more other computing devices 140, such as… servers” without specifying the communication being that of account closure / change instructions. Where [23] recites that “cyber-security system may also, in operation, assist or automate closing of any selected accounts… assist or automate updating personal information contained within any of the selected accounts,” this does not refer to account closure / change instructions from the cyber-security system to the remote servers. The particulars of “assist” are not described. The text of [51] is similar with respect to “assist” language, and further states that “cyber-security account analysis system 203 may upon discovery of a consumer's accounts allow the consumer to globally change information such as a consumer address or phone number across all of the discovered accounts simultaneously.” However, the particular steps of “allow” and “globally change” are not described in reference to instructions for the remote servers.
Paragraph [85] of the specification states that “cyber-security system 201 may automatically initiate closing of select accounts listed in one of the generated lists based on predetermined criteria. For instance, cyber-security system 201 may close accounts… a consumer may indicate via a user interface that various accounts should be closed and cyber-security system 201 may begin an account closing process for the consumer,” but this is silent concerning the remote servers. Paragraph [102] comprises similar language, and likewise lacks interaction with the remote servers for the closure/change instruction.
While the specification may imply communicating with, e.g., social media network servers to close accounts, it does not actually describe this taking place. There are different manners of closing accounts, including by phone, email, or letter.
Regarding claims rejected under 35 USC 101:
Applicant's arguments have been fully considered but they are not persuasive.
Applicant argues that the claims are integrated into a practical application because “amended claims recite specific computer functionality that cannot be performed through human mental steps,” focusing on the limitations concerning “continuously monitor,” “using a pattern matching engine,” “automatically determining,” “automatically communicate,” and “simultaneously communicate to one or more respective servers.”
In response, it is noted that “using a pattern matching engine” and the terms “automatically” are not considered to integrate the abstract idea into a practical application because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea is not considered to be sufficient—see MPEP 2106.05(f). Here, the pattern matching performed by the pattern matching engine is to parse metadata from email headers to identify domain names. This is comparable to basic interactions by any user of an email application (i.e., checking to see who their email is from). Further, the method of parsing is not otherwise defined in a computerized manner (e.g., using a trained neural network or a particular pixel analysis algorithm). Instead, it is performed in essentially the same manner as that of a typical human user. Additionally, “automatically” is considered equivalent to adding the words “apply it.”
With respect to “continuously monitoring,” it is noted that the manner of monitoring is not specified, and is further unbounded in time. For instance, “continuously monitoring” may be done by a person for a few minutes without issue. Since the computerized details of the “monitoring” are not otherwise specified, then this may be a mere computerization of the user looking for a period of time.
Although a human would not be able to simultaneously communicate to a plurality of respective servers, the currently amended claim language is drawn to “simultaneously communicat[ing] to one or more respective servers.” Since it is not clear how to “simultaneously communicate” with the case of a singular server, then it is not clear how this would differentiate over a user communicating with an equivalent entity.
Applicant further argues that the “claim elements also enhance computer operation and improve networked communication technology.” However, and as described above, the claim elements at issue may be performed by a human. Thus, the claimed invention is addressing a problem that transcends computing (checking emails for particular information and then reviewing it and choosing whether to close accounts and change account information).
Claim Objections
Claim 9 is objected to because of the following informalities: it recites “for each email correspondence m,” which appears to be a misprint of “in”. Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1-2, 5-6, 8-10, 13, 15-16, and 18-19 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Each of independent claims 1, 9, and 16 recite the following subject matter which is considered to be new matter: “automatically communicate to the remote server associated with the respective account, one or more instructions that cause the remote server associated with the respective account to close the respective account” and “simultaneously communicate to one or more respective remote servers associated with the one or more accounts, respective instructions that cause the respective remote servers to change the value of the particular type of information to correspond to the new value.” While the instant specification does recite its cyber-security system 201 closing accounts on behalf of a user and changing values, it does not specify that this is performed by sending instructions to a respective remote server to perform the account closure and/or change values.
For instance, [5] and [102]-[103] of the instant specification concern account closure and recite that a consumer may use an interface to instruct the cyber-security system 201 to begin an account closing process for the consumer. Although the instant specification does recite integrating with one or more services (such as websites) with respect to customer accounts in [64], this does not specify that the services perform the account closure. While [77] of the instant specification does recite that a service provider “may then take action to reduce any potential damage resulting from the data breach,” the action is not specified as closing an account. Since “an account closing process” is not otherwise specified, it can be interpreted in ways other than identifying and contacting the relevant service and initiating its electronic account cancellation process. For example, “an account closing process” can mean sending physical mail in the case of a gym membership that does not allow internet cancellation. In such a case, account closing process may comprise alerting an employee to write up and mail a gym membership cancellation on behalf of the customer.
With respect to “simultaneously communicate to one or more respective remote servers associated with the one or more accounts, respective instructions that cause the respective remote servers to change the value of the particular type of information to correspond to the new value,” [78] of the instant specification recites the cyber-security system 201 adjusting the value. Likewise, [51] of the instant specification recites that “cyber-security account analysis system 203 may upon discovery of a consumer's accounts allow the consumer to globally change information such as a consumer address or phone number across all of the discovered accounts simultaneously.” However, the instant specification does not describe having remote servers change the value in response to communications from the cyber-security system 201. As in the example discussed above, changing account values/information may be performed in ways other than identifying and contacting the relevant service. For instance, in person, telephonically, or via physical mail.
The dependent claims do not rectify the addressed deficiencies, and are therefore likewise rejected with their respective parent claims.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-2, 5-6, 8-10, 13, 15-16, and 18-19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Each of independent claims 1, 9, and 16, recites “simultaneously communicate to one or more respective remote servers” / “simultaneously communicating to one or more respective remote servers,” which renders these claims indefinite in the case of “one” of the “one or more” servers. Specifically, it is not clear how to interpret “simultaneously” communicating with just the one server. The instant specification in [51] states that “cyber-security account analysis system 203 may upon discovery of a consumer's accounts allow the consumer to globally change information such as a consumer address or phone number across all of the discovered accounts simultaneously.” However, this is in reference to the plural case rather than the singular. It is not clear what “simultaneously” is modifying if not communication with the plurality of servers (i.e., all at the same time).
The dependent claims do not rectify this issue and are therefore likewise rejected.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-2, 5-6, 8-10, 13, 15-16, and 18-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Note that the courts do not distinguish between mental processes that are performed entirely in the human mind and mental processes that require a human to use a physical aid (e.g., pen and paper or a slide rule) to perform the claim limitation (refer to MPEP 2106.04(a)(2)).
Example independent claim 1 recites the following abstract idea limitations: A cyber-security system comprising a cyber-security account analysis system and a cyber-security privacy statement analysis system (certain methods of organizing human activity—e.g., a company having employees to analyze accounts and associated privacy statements), wherein the cyber-security system includes: cause the cyber-security account analysis system to:
continuously monitor at least one email account (observation as part of a mental process—e.g., an employee reviews an assigned email account);
determine source information for each email correspondence in the at least one email in the at least one email account using a pattern matching engine configured to parse metadata from email headers to identify domain names (observation and evaluation as part of a mental process—e.g., the employee looks through emails and finds the corresponding senders);
after determining that an email is likely to be associated with an account of a consumer, adding the account to a list of accounts associated with the consumer (evaluation as part of a mental process—e.g., the employee checks to see if email contents reference any accounts, and adds the emails to a pen-and-paper list if so); and cause the cyber-security privacy statement analysis system to:
for one or more accounts of the list of accounts, receive, from [an entity] associated with a respective account and that is in networked communication with the cyber-security system, at least one privacy policy, and information indicative of a last time the consumer accessed the respective account (mere data gathering as part of insignificant extra-solution activity—e.g., the employee obtains, from another office, policy information for an account verbally, telephonically, or via mail);
determine, based on the at least one privacy policy, one or more types of data collected by the [entity] and uses, by the [entity], for the data collected by the [entity] (observation and evaluation as part of a mental process—e.g., the employee parsing the privacy policy for specifics about data collection by the respective office/service);
generate, for the at least one privacy policy, a list of data being collected about the consumer based at least on the one or more types of data or one or more associated purpose statements detailing use of the data (transcribing information as part of a mental process—e.g., the employee writes out and lists the data that the privacy policy says it collects);
provide an interactive display (insignificant extra-solution activity—i.e., that the display may be interacted with in some manner; for instance, flipping through pages of a pamphlet or electronic pamphlet) of the account of the consumer along with the list of data being collected and the associated purpose statements regarding use of the data being collected (transcribing data as part of a mental process—e.g., the employee writes a report mapping accounts to collected user data and purpose statements);
upon receiving a user interaction with the interactive display, update the interactive display (insignificant extra-solution activity—e.g., flipping through pages, asking a presenter to switch slides, pressing a “next” button, and so forth) so as provide a graphical representation of at least a portion of a digital footprint of the consumer based on the list of data being collected, wherein the graphical representation includes a plurality of components, each of the components representing one of the determined accounts of the consumer, and wherein each of the components is represented by a shape that corresponds to an impact, on the digital footprint, of the account (charting information as part of a mental process—e.g., the employee drawing a visual representation in a certain format; representations of accounts associated with more gathered data may be drawn bigger);
after automatically determining, based on the information indicative of the last time the consumer accessed the respective account, that the last time the consumer accessed the respective account exceeds a threshold period (observation and evaluation as part of an abstract idea—e.g., the employee checking account activity against a given rule), automatically communicate to the [entity] associated with the respective account, one or more instructions that cause the [entity] associated with the respective account to close the respective account (certain methods of organizing human activity—e.g., the employee contacts the office/service verbally/telephonically/by mail to ask them to do something on behalf of the user);
after receiving, from a user, an indication that a value of a particular type of information specified in one or more accounts of the list of accounts should be changed to a new value, automatically (performance by a computer of operations that previously were performed manually or mentally, albeit less efficiently, does not convert a known abstract idea into eligible subject matter), and for each of the one or more accounts, simultaneously communicate to one or more respective [entities] associated with the one or more accounts, respective instructions that cause the respective [entities] to change the value of the particular type of information to correspond to the new value, thereby globally changing the value across all of the one or more accounts (certain methods of organizing human activities—e.g., the employee further contacts the office/service on behalf of the user to ask them to change information in their records);
determine whether a breach of the account of the consumer has occurred; and determine whether the breach has affected other accounts of the consumer (observation and evaluation as part of a mental process—e.g., observing signs of an account breach and checking associated other accounts for the same).
Example independent claim 1 recites the following limitations which may comprise additional elements that are sufficient to amount to significantly more than the judicial exception: a processor; a memory unit storing computer-executable instructions, which when executed by the processor [cause execution of the claimed steps]; the entity and entities further comprising a “remote server” and “remote servers,” respectively.
With respect to step 2A, this judicial exception is not integrated into a practical application because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea is not considered to be sufficient—see MPEP 2106.05(f). In this case, the claim is drawn to steps performable entirely by a mental process, but further comprises a processor, memory, and computer-executable instructions for performing the steps. These are base elements of any computer which could perform the judicial exception, rather than any particular machine. The claimed invention further does not improve the functioning of a computer or any other technology or technical field so as to integrate the judicial exception into a practical application because it is addressing a problem that transcends computing. Specifically, the claim concerns looking through emails for account information; associating account information with respective account providers; associating account providers with respective privacy policies; detailing the found privacy policies; visualizing how much data is gathered for respective accounts; affecting changes across accounts; and determining account security. These do not relate to the functioning of a computer or any other technology or technical field.
With respect to step 2B, the claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea is not considered to be sufficient—see MPEP 2106.05(f). In this case, a processor; a memory unit storing computer-executable instructions, which when executed by the processor [cause execution of the claimed steps] are base elements of any potential computer for implementing the judicial exception (a processor, memory, and instructions). Further, networked remote servers are the base element of computer-to-computer communication.
Independent claims 8 and 16 are substantially similar to claim 1 above, and are therefore likewise rejected under the same analysis.
Dependent claim 2 merely further specifies the abstract idea, and is therefore likewise rejected under the same analysis. Specifically, it recites the following abstract idea limitations: wherein the cyber-security account analysis system is further configured to: monitor a web browsing history information of the consumer (observation as part of a mental process—e.g., the employee looking through specific information); analyze the web browsing history information of the consumer to determine a first group of businesses associated with the consumer (observation and evaluation as part of a mental process—e.g., the employee parsing the specific information for businesses); based on analyzing the web browsing history information of the consumer, generate a first separate list of businesses associated with the consumer (evaluation as part of a mental process—e.g., the employee listing out found businesses via pen and paper); monitor a web cache of the consumer (observation as part of a mental process—e.g., the employee looking through additional specific information); analyze the web cache of the consumer to determine a second group of businesses associated with the consumer (observation and evaluation as part of a mental process—e.g., the employee parsing the additional specific information for businesses); based on analyzing the web cache of the consumer, generate a second separate list of businesses associated with the consumer (evaluation as part of a mental process—e.g., the employee listing out found businesses via pen and paper); for each business in the first separate list and the second separate list, and after determining that the consumer likely has an account with the business, add the determined account to the list of accounts associated with the consumer (evaluation and judgement as part of a mental process—e.g., selecting listed businesses); analyze privacy policies associated with the list of accounts (evaluation as part of a mental process—e.g., the employee cross references the listed businesses with known privacy policies corresponding to the businesses); generate, for each analyzed privacy policy, a list of data being collected about the consumer and associated purpose statements regarding use of data being collected (observation and evaluation as part of a mental process—e.g., if specific information references a store, then the employee checks and parses the available privacy policy for that particular store); and display the list of accounts along with the list of data being collected and associated purpose statements regarding use of data being collected (transcribing data as part of a mental process—e.g., the employee writes a report mapping business accounts to collected user data and purpose statements).
Dependent claim 5 merely further specifies the abstract idea, and is therefore likewise rejected under the same analysis. Specifically, it recites the following abstract idea limitations: wherein the cyber-security privacy statement analysis system is further configured to: determine, for the at least one analyzed privacy policy, whether the data being collected about the consumer is shared with at least one third party (further determining data associations as part of a mental process); and display the account of the consumer along with information regarding data about the consumer being shared with at least one third party (transcribing additional data as part of the mental process).
Dependent claim 6 merely further specifies the abstract idea, and is therefore likewise rejected under the same analysis. Specifically, it recites the following abstract idea limitations: wherein the cyber-security privacy statement analysis system is further configured to: determine if the at least one privacy policy of the account of the consumer was previously analyzed; and retrieve any saved analysis related to a previously analyzed privacy policy based on a determination that the at least one privacy policy was previously analyzed (observation and judgement as part of a mental process—e.g., checking if there is any relevant information that was already previously found for something under analysis).
Dependent claim 8 merely further specifies the format of data that is displayed, and is therefore likewise rejected under the same analysis.
Dependent claims 13, 15, and 18 are substantially similar to claims 5 and 8 above, and are therefore likewise rejected.
Dependent claim 19 merely further specifies the abstract idea, and is therefore likewise rejected under the same analysis. Specifically, it recites the following abstract idea limitations: wherein the breach is determined based on comparison of known breached accounts to one or more identifiers corresponding to the account (observation and evaluation as part of a mental process—e.g., checking for social security numbers, credit card numbers, and other PII as part of an analysis).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432
/V.S/Examiner, Art Unit 2432