DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is response to communication: response to RCE filed on 10/28/2025.
Claims 1-4, 6-13, 15-19, 21-23 are currently pending in this application. Claim 14 has been cancelled. Claim 23 is new.
No new IDS has been filed for this application.
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 10/28/2025 has been entered.
Response to Arguments
Applicant’s arguments with respect to the independent claims have been fully considered but are not found persuasive. Applicants have amended the claims to include “updating the rule set with the handling instructions according to the user-specific requirement for second data assocaited with a second request, wherein the second data is retrieved after the data; and operating on the second data including a second sensitive data portion according to the updated rule set to generate second modified data.” Essentially, the claims recite updating the rules and processing future requests of sensitive data with the updated rules. This would have been obvious to one of ordinary skill in the art. It is well known in the art that rules and policies may be updated and to have subsequent requests; systems are not built to just handle a single request. The prior art further shows the obviousness. As seen in Sahu, paragraph 114 teaches that privacy/sensitivity rules may be changed and updated. The machine learning model is then retrained with such rules and samples. Paragraph 103 further teaches that the machine learning models are monitored and results are used for subsequent training, and teaches that systems are continually updated. See also paragraph 132 wherein rule changes will require regular update and further paragraph 138 wherein users/administrators update the rules. As rules are modified, it is follow that the subsequent requests are processed according to the updated rules.
Applicant’s arguments concerning the rejection of claims 21-22 have been fully considered but are moot in view of new grounds of rejection. See amended rejection below.
Claim Rejections - 35 USC § 101
The prior 101 rejections have been withdrawn in response to applicant’s amendments.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 3, 8, 9, 12, 14, 17, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Decouteau et al. US Patent Application Publication 2015/0020213 (Decouteau), in view of Sahu et al. US Patent Application Publication 2023/0128136 (Sahu), and further in view of Dodke et al. US Patent No. 10,079,835 (Dodke).
As per claim 1, Decouteau teaches a method for protecting sensitive data, the method comprising: generating a rule set for handling sensitive data (paragraph 27 and throughout with generating rules for sensitive data); receiving a request from a user (paragraph 10, 33, 43, and throughout with user requesting records); retrieving data associated with the request, wherein the data include at least one of text data, image data, video data, audio data, virtual reality data, or gesture data (paragraph 10, 33-37 which retrieves document and finds associated rules; data may be text, as it is a document); determining a sensitive data portion of the data (paragraph 10, 34 with finding data and applying rules; also see paragarphs 20, 21, and throughout with finding sensitive data and tagging); labeling the sensitive data portion of the data (paragraphs 37-40 and throughout wherein data is tagged); operating on the sensitive data portion according to the rule set based on the labeling to generate modified data (paragraph 29, 31, 40, and throughout with complying with the rules, such as redacting, obfuscating, encrypting tagged data); and returning the modified data to the user (paragraph 10, 40, 41, and throughout with sending the modified data; see also claims 3 and 4).
Although Decouteau teaches receiving a request from a user, Decouteau does not explicitly teach utilizing a natural language processing tool. However, utilizing natural language processing tools is well known in the art. For example, see Sahu (paragraph 73, 89, 115 and throughout with utilizing natural language processors). Sahu further teaches determining sensitive data portion of the data, labelign the sensitive data portion of the data, operating on the sensitive data portion according to the rule set based on the labeling to generate modified dta; and returning the modified data to the user (abstract and throughout reference with finding sensitive data and redacting/masking data to comply with rules; see also paragraphs 99-101, 106, and throughout).
Sahu further shows the obviousness of updating the rule set with the handling instructions according to the user-specific requirement for second data associated with a second request, wherein the second data is retrieved after the data; and operating on the second data including a second sensitive data portion according to the updated rule set to generate second modified data (paragraph 114 wherein rules may be changed and updated; paragraph 103 with rules updated and used for subsequent training, showing systems are continually updated; paragraph 138 wherein users/admin may update/change rules; subsequent request for sensitive data will adhere to such modified/updated rules).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Decaouteau with Sahu. One of ordinary skill in the art would have been motivated to perform such an addition to provide more security and provide automation in the process of identifying sensitive data (paragraph 11 of Sahu).
The Deconteau combination does not explicitly teach if the sensitive data portion is determined, presenting a response interface to the user, the response interface including a prompt for handling instructions; receiving the handling instructions via the response interface as a contemporaneously-inputted user-specific requirement to the response interface. However, this would have been obvious. For example, see Dodke (col. 14 lines 35-67 with prompting user with sensitive information prompt; user selects handling instructions such as to allow or block output of data). Dodke further teaches operating on the sensitive data according to the handling instructions (col. 14 line 63 to col. 15 line 20 with system handling sensitive data accordingly).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Dodke with the Decanteau combination. One of ordinary skill in the art would have been motivated to perform such an addition to enable a user to more quickly and conveniently determine whether any textual content constitutes as sensitive data (col. 14 lines 55-60).
As per claim 3, it would have been obvious over the Decouteau combination wherein operating on the sensitive data portion includes replacing the sensitive data portion with generic data (Sahu paragraph 119, with substitution and data/number variance).
As per claim 8, it would have been obvious over the Decouteau combination wherein determining the sensitive data portion of the data includes at least one of: reading a previous label for the data indicating the sensitive data portion, or receiving input of the sensitive data portion form a user (obvious over the Decouteau combination; see Dodke col. 14 line 62 to col. 15 line 35 wherein data is tagged and can be used further at different layers or filters and further in the same passage wherein users may provide input on sensitive data from user).
As per claim 9, it would have been obvious over the Decouteau combination further comprising retraining the machine learning model using the sensitive data portion and the labeling (obvious over Sahu; see paragraph 106 wherein models may be retrained with updated information and other logs; retraining is done via feedback loops).
Claim 12 is rejected using the same basis of arguments used to reject claim 1 above.
Claim 14 is rejected using the same basis of arguments used to reject claim 12 above.
Claim 17 is rejected using the same basis of arguments used to reject claim 8 above.
Claim 18 is rejected using the same basis of arguments used to reject claim 9 above.
Claim(s) 2 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over the Decaouteau combination as applied above, and further in view of Netke et al. US Patent Application Publication 2022/0164474 (Netke)
As per claim 2, the Decouteau combination does not explicitly teach wherein operating on the sensitive data portion includes deleting the sensitive data portion, the method further comprising storing the data without the sensitive data portion. However, this is well known in the art. For example, see Netke (paragraph 22 wherein sensitive information is removed and the data without sensitive data is uploaded/stored).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Decouteau combination with Netke. One of ordinary skill in the art would have been motivated to perform such an addition to create more security by providing round trip pseudonymization (paragraph 2 of Netke).
Claim 13 is rejected using the same basis of arguments used to reject claim 2 above.
Claim(s) 4 is rejected under 35 U.S.C. 103 as being unpatentable over the Decaouteau combination as applied above, and further in view of Williamson et al. US Patent Application Publication 2018/0232528 (Williamson)
As per claim 4, the Decouteau combination teaches handling instructions for the sensitive data portion, and wherein operating on the sensitive data portion includes executing the handling instructions according to the rule set (Sahu paragraph 119 with rules including policies that support specific masking techniques), wherein the response interface includes handling instructions (Dodke Figure 5). However, the Decouteau combination does not explicitly teach that this is part of the initial request. However, including initial handling instructions in a request would have been obvious to one of ordinary skill in the art, as it would allow the user/requester to request information as she would like. However, for a further teaching on receiving instructions via a user request, see Williamson (paragraph 62 with user providing instructions for sensitive data; paragraph 77 with user providing instructions to modify data; see also paragraph 102 with user requesting data initially which includes specific instructions).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Decouteau combination with Williamson. One of ordinary skill in the art would have been motivated to perform such an addition to create more security by automatically classifying information into different levels of sensitive data automatically (paragraph 2 of Williamson).
Claim(s) 6, 7, 15, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over the Decouteau combination as applied above, and further in view of Nagpal et al. US Patent Application Publication 2012/0078643 (Nagpal).
As per claim 6, the Decouteau combination does not explicitly teach comprising detecting a location associated with the request, wherein the rule set includes a location-based handling instruction, and wherein the location associated with the request includes a user location or a data storage location. However, this would have been obvious. For example, see Nagpal (abstract, paragraph 5, and throughout with rules including geographic location data storage location; see also paragraph 77 with user location).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Decouteau combination with Nagpal. One of ordinary skill in the art would have been motivated to perform such an addition to provide more security and to comply with laws and regulations (paragraph 77).
As per claim 7, the Decouteau combination teaches wherein the data storage location is a cloud storage including a plurality of storage nodes, wherein the location-based handling instructions includes allowing storage on a first storage node in the plurality of storage nodes and preventing storage on a second storage node in the plurality of storage nodes (see Nagpal abstract with utilizing rules for storing data in particular storage nodes in the cloud; see paragraph 77 with example where data can only be stored in a cloud region that is local to user)
Claim 15 is rejected using the same basis of arguments used to reject claim 6 above.
Claim 16 is rejected using the same basis of arguments used to reject claim 7 above.
Claim(s) 11 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over the Decouteau combination as applied above, and further in view of Friedland et al. US Patent No. 11,574,027 (Friedland)
As per claim 11, although the Decaouteau combination teaches returning modified data to the user, the combination does not explicitly teach issuing the sensitive data to the user with a warning of sensitive data use. However, providing sensitive data with a warning is well known in the art. For example, see Friedland (col. 9 lines 10-35 with providing a warning with sensitive content).
At the time the invention was filed it would have been obvious to one of ordinary skill in the art to combine the teachings of the Decaouteau combination with Friedland. One of ordinary skill in the art would have been motivated to perform such an addition to provide users with the ability to manage content (col. 1 line 15-30).
Claim 19 is rejected using the same basis of arguments used to reject claim 11 above.
Claim(s) 10 is rejected under 35 U.S.C. 103 as being unpatentable over the Decouteau combination as applied above, and further in view of Austin et al. US Patent Application Publication 2007/0203776 (Austin).
As per claim 10, the Decouteau combination teaches utilizing natural language processing tools (Sahu paragraph 73 and throughout), but does not explicitly teach retrieving previously labeled sensitive data associated with the data retrieval request; and returning the previously labeled sensitive data to the user according to the rule set based on the label of the previously labeled sensitive data. However, this would have been obvious. For example, see Austin (abstract and throughout, with data has been previously marked and saved on the system with redacted information; users/parties can view/retrieve the previously documents with redacted information and view the data according to rules and permissions)
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Austin combination with Decaouteau. One of ordinary skill in the art would have been motivated to perform such an addition to provide efficiency by allowing all the back office work to be handled automatically with minimal human involvement (abstract).
Claim(s) 21 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over the Decaouteau combination as applied above, and further in view of Mohanty et al. US Patent Application Publication 2024/0152745 (Mohanty).
As per claim 21, the Decaouteau combination teaches wherein determining the sensitive data portion of the data by: applying a machine learning model trained on a training data of a wherein the sensitive data is defined using the machine learning model (see paragraph 76 with machine learning models; see paragraph 90 with pretrained models; see also paragraph 103; see also paragraph 106 with training and receiving input from a domain expert). However, the Decaouteau combination may not explicitly teach that the machine learning model was trained on a plurality of previous requests including a plurality of previous sensitive data. However, this would have been obvious to one of ordinary skill in the art. Sahu already teaches utilizing machine learning models, which includes Long Short-term Memory LSTM, convolutional neural network CNN, and deep learning DL. It would have been ,inherent, if not obvious, that such learning models utilize historical data to be trained. However, for a more explicit teaching on utilizing previous requests/sensitive data to train an AI model, see Mohanty (paragraph 38 and throughout wherein historical data is used to train the pii classification and wherein training may be supervised).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Mohanty with the Decaouteau combination. One of ordinary skill in the art would have been motivated to perform such an addition to predict what information constitutes as PII (paragraph 4 of Mohanty).)
Claim 22 is rejected using the same basis of arguments used to reject claim 21 above.
Claim(s) 23 is rejected under 35 U.S.C. 103 as being unpatentable over the Decaouteau combination as applied above, and further in view of Conikee et al. US Patent Application Publication 2019/0171846 (Conikee)
As per claim 23, the Decaouteau combination does not explicitly teach wherein the data is labelled with a plurality of sensitivities, each of the plurality of sensitivities defining an acceptable level of acceptable use and unacceptable use. However, this would have been obvious. For example, see Conikee (paragraphs 71, 72, and throughout reference, wherein sensitive data is classified and scored; the score and sensitivity controls how this data is used).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Decaouteau combination with Conikee. One of ordinary skill in the art would have been motivated to perform such an addition to create more security by improving data leak prevention (paragraph 3 of Conikee).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON KAI YIN GEE whose telephone number is (571)272-6431. The examiner can normally be reached on Monday-Friday 8:30-5:00 PST Pacific.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/JASON K GEE/Primary Examiner, Art Unit 2495