DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments
This office action responds to the amendments filed on April 17, 2026 for application 18/473,760. Claims 2 and 14 are amended, and claims 1-20 remain pending in the application.
Response to Arguments
The Examiner has fully considered the Applicant’s arguments filed on April 17, 2026, and the Examiner responds as provided below.
Regarding the Applicant’s response at pages 8-15 of the Remarks that concerns the § 103 rejection, the Applicant states, “Independent claim 1-and similarly claims 10 and 18-recites the following features that are distinguishable over Park, Adjaoute, Kolman, Cook, and Berggren: ‘...a breach listing, the breach listing identifying the plurality of breach events and identifying a plurality of breached organizations wherein each breached organization corresponds to a respective breach event in the plurality of breach events[.]’” Reply at 9. The Applicant proceeds to argue that each of the references “alone or in combination, do not teach or otherwise render obvious at least these features.”
The primary concept at issue is the “breach listing identifying the plurality of breach events and … breached organizations,” where this breach listing is based upon “accessing an electronic transaction account” and “generating electronic transaction information.” In essence, the use of a single transaction account can be used to detect not just one breach event and organization, but a plurality of breach events and respective organizations.
As an initial matter, and as a general rule of thumb in patent law, extending a claim limitation from a single instance to a plurality of instances would be obvious to one skilled in the art. See MPEP § 2143(I)(E) (providing the “Obvious to Try” KSR rationale when choosing from a finite number of solutions). If a person skilled in the art learns how to implement a feature once, then implementing the feature again can be obvious. Here, Applicant claims an electronic transaction is used to create a list of a “plurality of breach events.” The Examiner maintains that a list containing a plurality of breach events is obvious in view of a list that contains one breach event (i.e., it would be obvious to try a listing of a plurality of breach events). Indeed, a strong motivation exists to list every breach event for the sake of achieving a comprehensive indicator of risk.
With respect to Berggren, the Applicant characterizes as a non-relevant reference because it involves a PKI system. Reply at 13. While true, that does not take away from the teaching of identifying a plurality of organizations whose trust has been breached, whether the breach event involves one of data or alternatively one of a private key. Although Berggren does not involve a breach event of data—which is taught adequately by at least Park, ¶ [0055]—its simple teaching associated with the treatment of organizations is relevant.
Notwithstanding the sufficiency of Berggren, the Examiner relied upon Cook at ¶ [0064], which teaches that a risk score is calculated based on “data about the frequency of the match (i.e., has this data been matched previously), data about other recent matches…” See Office Action, Jan. 30, 2026, at 12. This language suggests a “plurality of breach events” and a “plurality of organizations.” Additionally, Cook at ¶ [0066] further teaches, “The method 900 may further include determining a risk score based on the information about each breach,” (emphasis added) with the use of “each” suggesting more than one breach event, which typically involves a plurality of organizations.
Similarly, Cook at ¶ [0023] states, “Each match [involving a plurality of matches] returned can include information about the data breach [event], which may consists of the date of the breach, the size/volume of the breach, a code indicating how the data was lost or stolen, among other attributes.” (emphasis added). Again, a plurality of breach events is taught, and the reasonable, real-world assumption, is that the multitude of breaches occurred through multiple organizations, as opposed to a single organization.
Cook at ¶ [0047] states “A risk score for a particular consumer may increase based on the number of data breaches [and associated with a plurality of organizations] for which PII data of that user has been included,” and Cook at ¶ [0045] further states, “The PII exchange application 202 may provide the results of the comparison to the risk scoring module 430, which may determine a risk assessment score and provide the score to an alerting module 432 that, when executed, may cause the processor 412 to communicate data related to the risk assessment score [i.e., a list of data breaches and associated organizations] to the at-risk entity 104,” where providing a list of data breaches and associated organizations would be obvious to one skilled in the art, as this provides helpful insight on the risks confronting the consumer. See MPEP § 2141(III), stating “Prior art is not limited just to the references being applied, but includes the understanding of one of ordinary skill in the art. The prior art reference (or references when combined) need not teach or suggest all the claim limitations, however, Office personnel must explain why the difference(s) between the prior art and the claimed invention would have been obvious to one of ordinary skill in the art.”
The Applicant summarily states, “Thus, Park, Adjaoute, Kolman, Cook, and Berggren, alone or in combination, do not disclose or other render obvious all of the claim elements of independent claims 1, 10, and 18.” Reply at 15. Although the Examiner only relied upon and cited ¶ [0064] of Cook, the Applicant’s statement indicates that Applicant reviewed the entire Cook reference, including the material now cited, and concluded that Cook did not teach or suggest the disputed claim limitations. The Examiner respectfully disagrees for the reasons presented above.
The Applicant also states that Park is directed to “potential future breaches rather than past breach events and therefore cannot identify a breached organization,” and thus is not relevant to a “breach history.” Reply at 11. However, the Examiner relied upon Park, ¶ [0055] that taught a “credit card number previously found on a dark web page.” Office Action, Jan. 30, 2026, at 6. This squarely teaches a past breach event. With respect to associating an organization to the past breach event, the Examiner relied upon Berggren ¶ [0045] that teaches “An exhaustive check is required because a security breach for any entity listed in trust relationship 100.” Office Action, Jan. 30, 2026 at 13. Here, Berggren clearly teaches identifying an organization/entity involved in a breach event. The Examiner further notes, and as previously stated with respect to the Cook reference, listing an organization associated with a breach event is an obvious step to one skilled in the art, for it provides context to the breach event for consumers to act upon.
Applicant argues at pages 16-18 that Cook fails to teach the limitations associated with the amendments to claims 2 and 14. For the reasons provided above with respect to Cook, the arguments are not persuasive.
Applicant next argues at pages 18-21 of the Reply that “Finally, the Office Action has not shown that a person of ordinary skill in the art (“POSA”) would have been motivated to combine Berggren with Park, Adjaoute, Kolman, and Cook,” and comments, “The Office Action provides a simplistic explanation of KSR rationales to allegedly support a motivation to combine….” The argument, however, has no basis in law because Applicant fails to appreciate the legal difference between a motivation to combine and a KSR rationale to combine.
To support a § 103 rejection, an examiner must substantiate a rationale to combine references. Prior to the Supreme Court case KSR Int’l Co. v Teleflex, Inc., any rationale to combine was limited to the requirement that a reference present a teaching, suggestion, or motivation (“TSM”). The Supreme Court expanded the rationales to combine via the KSR rationales (e.g., obvious to try, simple substitution, use of a known technique), and these KSR rationales negate the need to provide a “motivation” as a rationale. See MPEP § 2143(I) (presenting the different rationales to combine, where the TSM rationale is listed separately from the KSR rationales). Given Applicant’s misplaced understanding of the law regarding a prima facie obviousness rejection, the points of the argument lack legal sufficiency and are not addressed.
Based upon the foregoing reasons, the § 103 rejection is maintained.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The following conventions apply to the mapping of the prior art to the claims:
Italicized text – claim language.
Parenthetical plain text – Examiner’s citation and explanation.
Citation without an explanation – an explanation has been previously provided for the respective limitation(s).
Quotation marks – language quoted from a prior art reference.
Underlining – language quoted from a claim.
Brackets – material altered from either a prior art reference or a claim, which includes the Examiner’s explanation that relates a claim limitation to the quoted material of a reference.
Braces – a limitation taught by another reference, but the limitation is presented with the mapping of the instant reference for context.
Numbered superscript – a first phrase to be moved upwards to the primary reference analysis.
Lettered superscript – a second phrase to be moved after the movement of the first phrase from which it was lifted, or more succinctly, move numbered material first, lettered material last.
A. Claims 1-5, 8, 10, and 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Park et al. (US 2018/0026996, “Park”) in view of Adjaoute (2015/0073891, “Adjaoute”), and further in view of Kolman et al. (US 9,558,346, “Kolman”), Cook et al. (US 2017/0161746, “Cook”), and Berggren (US 2009/0086977, “Berggren”).
Regarding Claim 1
Park discloses
A method for apprising a consumer of an accumulated risk resulting from data breaches (¶ [0065], “In another embodiment, the cyber-security system 201 may notify [apprise] the consumer of the action event [data breach]. To reduce the impact [risk] of a data breach, it may be advantageous to notify the consumer and/or services associated with the data breach.”, noting it would be obvious to one skilled in the art to notify a consumer for each data breach that leads to an accumulated risk for the data breaches for multiple data breaches; and ¶ [0054], “In some instances, the cyber-traffic event analysis system may continually compile consumer data based on [breached] data found on the Internet. For example, the cyber-traffic event analysis system may monitor dark web pages for credit card numbers [resulting from data breaches], addresses, phone numbers, etc.”),
comprising:
receiving enrollment information for the consumer (¶ [0052], “In another example, the consumer may register [enroll] to receive a digital safety score. As part of the registration, the consumer may be presented with a list of accounts [enrollment information], and may be asked to give [and thereby receive] credentials for the accounts [as further enrollment information for the consumer].”);
generating a consumer profile breach history for the consumer based on the enrollment information (¶ [0052], “As part of the registration, the consumer may be presented with a list of accounts,... [enrollment information]”; ¶ [0029], “If an account is breached (or if suspicious activity is detected), the cyber-security system 201 may be notified [and the breach history generated and stored for future reference]. The cyber-security system 201 may then notify the consumer [of the information comprising the consumer profile breach history], such as by sending an alert to a user computing device 208 and/or user mobile computing device 210.”; and ¶ [0030], “In an embodiment, the collected user [enrollment] information may be used to generate a consumer profile for the consumer. The consumer profile may be updated periodically [that encompasses history for the consumer] as new consumer information is gathered or received.”);
accessing an electronic transaction account associated with the consumer (¶ [0055], “In yet another embodiment, the cyber-security system 201 may compare the consumer information with data known to correspond to the consumer. In some instances, the cyber-security system 201 may determine if data compiled by the cyber-traffic event analysis system matches data associated with the consumer. For example, the cyber-security system 201 may determine if a credit card number previously found on a dark web page and stored in a database of detected credit card numbers [with each credit card number associated with a respective transaction account] matches a credit card number entered by the consumer [and thus, the transaction account is accessed to enable the “match[ing]” ].”),
the electronic transaction account configured to execute a consumer transaction between the consumer and a party to the consumer transaction (¶ [0055], “For example, the cyber-security system 201 may determine if a credit card number [and the associated electronic transaction account being configured to execute a consumer transaction between the consumer and party to the consumer transaction] previously found on a dark web page and stored in a database of detected credit card numbers [transaction account] matches a credit card number entered by the consumer [and thus, the transaction account is accessed to enable the “match[ing]” ].”);
1 …;
accessing breach information for a plurality of data breaches (¶ [0055], “For example, the cyber-security system 201 may determine if a credit card number previously found [accessed] on a dark web page and stored in a database of detected credit card numbers [as breach information for a plurality of data breaches] matches a credit card number entered by the consumer.”; see also Adjaoute ¶¶ [0168]-[0170], “In tests with historical transaction data [breach information for a plurality of data breaches] involving Target Corporation Stores, fraud scores such as these rose sharply at the same time the criminals begin their ‘test and try’ activity. E.g., the first week of December.”);
comparing the electronic transaction information with the breach information to determine a plurality of breach events (¶ [0055], “For example, the cyber-security system 201 may determine if a credit card number previously found on a dark web page and stored in a database of detected credit card numbers matches [via a comparison] a credit card number entered by the consumer.”; see also Adjaoute ¶¶ [0169]-[0170], “In tests with historical transaction data involving Target Corporation Stores, fraud scores [based upon breach events] such as these rose sharply at the same time the criminals begin their ‘test and try’ activity. E.g., the first week of December. The following Table is of selected key variables that were used to drive the analytics [comparisons].”),
the plurality of breach events representing a matching of the electronic transaction information with the breach information of a corresponding one of the data breaches (¶ [0055], “For example, the cyber-security system 201 may determine if a credit card number previously found on a dark web page [and associated breach events] and stored in a database of detected credit card numbers matches a credit card number entered by the consumer [and corresponding electronic transaction information as taught by Adjaoute ¶ [0168]].”; see also Adjaoute ¶¶ [0169]-[0170], “In tests with historical transaction data involving Target Corporation Stores, fraud scores such as these rose sharply at the same time the criminals begin their ‘test and try’ activity. E.g., the first week of December. The following Table is of selected key variables that were used to drive the analytics [to observe the matching of electronic transaction information to the breach information of a corresponding one of the data breaches].”);
2 …; and
appending the consumer profile breach history with one or more accumulated harm risk scores, (¶ [0052], “In another example, the consumer may register to receive a digital safety score [an accumulated harm risk score that is appended to the consumer profile breach history of a respective consumer via the storing of all relevant consumer information in a relational database].”; ¶¶ [0045]-[0047], “A digital safety score [accumulated harm risk score] 405 may be a rating and/or representation of different components which contribute to the risk of a data breach of an associated consumer. The digital safety score 405 may be a numeric value that indicates the risk of a data breach. While the description herein assumes a higher score reflects a lower chance of a data breach, any algorithm for determining the value may be used.”; and ¶¶ [0037]-[0038], “In some embodiments, the cyber-security system 201 may determine when and through which means to notify a consumer of the risks of a data breach and/or evidence of a data breach according to preset rules and strategies calculated from the data gathered from the information data sources 304 a-n.”, i.e., the calculated risk is based upon the accumulated “data sources,” and thus the probability calculated is an “accumulated risk.”),
3 ….
Park doesn’t disclose
1 generating electronic transaction information for the consumer transaction;
2 appending the consumer profile breach history with a breach listing, the breach listing identifying the plurality of breach events and identifying a plurality of breached organizations wherein each breached organization corresponds to a respective breach event in the plurality of breach events;
3 wherein each of the one or more accumulated harm risk scores corresponds to each respective breach event from the plurality of breach events and provides a relative indicator of risk accumulated for the consumer as a cumulative result of breach information elements corresponding to the respective breach event.
Adjaoute, however, discloses
1 generating electronic transaction information for the consumer transaction (¶¶ [0168]-[0170], “Data breach detection system 1500 focuses on the correlations between cardholders, merchants, and transaction dates [collectively electronic transaction information] in transactions receiving high risk fraud scores [with the scores relying upon the use of generated electronic transaction information], e.g., 118 (FIG. 1), 428 (FIG. 4), 552 (FIG. 5), 728 (FIGS. 7), and 1414 (FIG. 14).”; and ¶ [0024], “Briefly, an artificial intelligence data breach detection embodiment of the present invention detects breaches of secure payment card data by analyzing real-time transaction records [electronic transaction information] as they flow in. On-going searches are made by analyzing the high risk transactions daily and comparing them with behaviors days, weeks, and month. A table of cards with the first known fraud dates is created. An investigation is launched into the merchants with suspect transactions.”);
Regarding the combination of Park and Adjaoute, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify risk assessment system of Park to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the risk assessment system of Park, upon which the claimed invention can be seen as an “improvement” through the use of generating electronic transaction information;
2) the prior art contained a “comparable” system, namely the security system of Adjaoute, that has been improved in the same way as the claimed invention through the generating electronic transaction information; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the generation of electronic transaction information to the base risk assessment system of Park, and the results would have been predictable to one of ordinary skill in the art.
Kolman, however, discloses
2 appending the consumer profile breach history with a breach listing, the breach listing identifying the one or more breach events and…a (Fig. 3, Col. 9:14-25, “FIG. 3 shows a screen shot 300 of the user interface 118. In this embodiment, the user interface presents a [breach] list of detected events [associated and appended to the consumer profile breach history within the database of the breach system] responsive to actuation of an incidents tab 302. In this context, and as indicated previously, an ‘incident’ is considered an example of a type of security-related event as the latter term is broadly utilized herein. The events shown in the screen shot 300 are presented in order of decreasing learned riskiness, based on the corresponding ordered list of risk scores shown in column 304. As noted above, at least a subset of these risk scores are assumed to be determined based on feedback as processed by the classifier 114A.”);
3 wherein each of the one or more accumulated harm risk scores corresponds to each respective breach event from the plurality of breach events and…b (see Cook below) (Fig. 3, Col. 9:14-25, “The events shown in the screen shot 300 are presented in order of decreasing learned riskiness, based on the corresponding ordered list of risk scores [corresponding to the accumulated risk scores as disclosed by Park ¶¶ [0045]-[0047], [0052]] shown in column 304.”).
Regarding the combination of Park-Adjaoute and Kolman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify risk assessment system of Park-Adjaoute to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the risk assessment system of Park-Adjaoute, upon which the claimed invention can be seen as an “improvement” through the use of a breach-list feature;
2) the prior art contained a “comparable” system, namely the security system of Kolman, that has been improved in the same way as the claimed invention through the use of a breach-list feature; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the use of a breach-list feature to the base risk assessment system of Park-Adjaoute, and the results would have been predictable to one of ordinary skill in the art.
Cook, however, discloses
b … provides a relative indicator of risk accumulated for the consumer as a cumulative result of breach information elements corresponding to the respective breach event (Fig. 8, ¶ [0064], “At 808, the method 800 may include returning a risk score to a destination device based on the comparison. In certain embodiments, the results from the comparisons [that yield a relative indicator of risk] (whether from the local PII database or from the compromised companies) may be aggregated [accumulated risk] and analyzed to determine the risk score. In certain embodiments, the risk score may be based on a variety of data, including data about the [respective] breach event, data about the field that was matched (i.e., date of birth versus social security number [as two types of breach information elements associated with the respective breach event]), data about the frequency of the match (i.e., has this data been matched previously), data about other recent matches, and so on. Based on the data, a risk score may be calculated that can reflect the probability that a particular piece of consumer data may be misused.”).
Regarding the combination of Park-Adjaoute-Kolman and Cook, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify risk assessment system of Park-Adjaoute-Kolman to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the risk assessment system of Park-Adjaoute-Kolman, upon which the claimed invention can be seen as an “improvement” through the use of a breach-information element feature;
2) the prior art contained a “comparable” system, namely the security system of Cook, that has been improved in the same way as the claimed invention through the use of a breach-information element feature; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the use of a breach-information element feature to the base risk assessment system of Park-Adjaoute-Kolman, and the results would have been predictable to one of ordinary skill in the art.
Berggren, however, discloses
a …identifying a plurality of breached organizations wherein each breached organization corresponds to a respective breach event in the plurality of breach events (¶ [0045], “When validation authority 72 is queried as to the status of a certificate, validation authority 72 will determine [identify] the trust status of each and every entity listed in trust relationship 100. An exhaustive check is required because a security breach for any entity [organization] listed in trust relationship 100 shows that private key 36 may have been acquired [within a respective breach event] by a party other than user 140. Moreover, user 140 may further invalidate certificate 50 in case of a theft or a loss of exclusive control of private key 36.”; see also Cook ¶ [0066], “The method 900 may further include determining a [one accumulated harm] risk score based on the information about each breach,” i.e., “each” suggests more than one breach event, which typically involves a plurality of organizations; ¶ [0023] “Each match [involving a plurality of matches] returned can include information about the data breach [event], which may consists of the date of the breach, the size/volume of the breach, a code indicating how the data was lost or stolen, among other attributes.”, i.e., a plurality of breach events is taught, and the reasonable, real-world assumption, is that the multitude of breaches occurred through multiple organizations, as opposed to a single organization; and ¶ [0047], “A [accumulated harm] risk score for a particular consumer may increase based on the number of data breaches [and associated with a plurality of organizations] for which PII data of that user has been included.”; and ¶ [0045], “The PII exchange application 202 may provide the results of the comparison to the risk scoring module 430, which may determine a risk assessment score and provide the score to an alerting module 432 that, when executed, may cause the processor 412 to communicate [and subsequently display] data related to the [accumulated harm] risk assessment score [i.e., a list of data breaches and associated organizations] to the at-risk entity 104,” where providing a list of data breaches and associated organizations would be obvious to one skilled in the art, as this provides helpful insight on the risks confronting the consumer. See MPEP § 2141(III), stating “Prior art is not limited just to the references being applied, but includes the understanding of one of ordinary skill in the art. The prior art reference (or references when combined) need not teach or suggest all the claim limitations, however, Office personnel must explain why the difference(s) between the prior art and the claimed invention would have been obvious to one of ordinary skill in the art.”);
Regarding the combination of Park-Adjaoute-Kolman-Cook and Berggren, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify risk assessment system of Park-Adjaoute-Kolman to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the risk assessment system of Park-Adjaoute-Kolman-Cook, upon which the claimed invention can be seen as an “improvement” through the use of a breached organization listing feature;
2) the prior art contained a “comparable” system, namely the security system of Berggren, that has been improved in the same way as the claimed invention through the use of a breached organization listing feature; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the use of a breached organization listing feature to the base risk assessment system of Park-Adjaoute-Kolman-Cook, and the results would have been predictable to one of ordinary skill in the art.
Regarding the combination of Park-Adjaoute-Kolman and Cook, the rationale to combine is the same as provided above due to the overlapping subject matter.
Regarding Claim 2
Park in view of Adjaoute, and further in view of Kolman, Cook and Berggren (“Park-Adjaoute-Kolman-Cook-Berggren”) discloses the method according to claim 1, and Park further discloses
further comprising: displaying the consumer profile breach history (¶¶ [0029]-[0030], [0052]) with the {breach listing (Kolman Fig. 3, Col. 9:14-25)},
1…
via a consumer user interface operable on a computing device (¶ [0044], “FIG. 4 illustrates a user interface 400 displaying an example rating screen for a digital safety score 405 [i.e., it would be obvious to one skilled in the art to display any information to a consumer relevant to a data breach and the associated security risk]. In some examples, these [consumer] user interfaces may be generated by an application server, web application 224, user computing device 208, and/or user mobile computing device 210.”).
Regarding the combination of Park-Adjaoute and Kolman, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter of claims 1 and 2.
Cook further discloses
1 ...wherein the breached organization is displayed with the one or more accumulated harm risk scores… (¶ [0066], “The method 900 may further include determining a [one accumulated harm] risk score based on the information about each breach,” i.e., “each” suggests more than one breach event, which typically involves a plurality of organizations; ¶ [0023] “Each match [involving a plurality of matches] returned can include information about the data breach [event], which may consists of the date of the breach, the size/volume of the breach, a code indicating how the data was lost or stolen, among other attributes.”, i.e., a plurality of breach events is taught, and the reasonable, real-world assumption, is that the multitude of breaches occurred through multiple organizations, as opposed to a single organization; and ¶ [0047], “A [accumulated harm] risk score for a particular consumer may increase based on the number of data breaches [and associated with a plurality of organizations] for which PII data of that user has been included.”; and ¶ [0045], “The PII exchange application 202 may provide the results of the comparison to the risk scoring module 430, which may determine a risk assessment score and provide the score to an alerting module 432 that, when executed, may cause the processor 412 to communicate [and subsequently display] data related to the [accumulated harm] risk assessment score [i.e., a list of data breaches and associated organizations] to the at-risk entity 104,” where providing a list of data breaches and associated organizations would be obvious to one skilled in the art, as this provides helpful insight on the risks confronting the consumer. See MPEP § 2141(III), stating “Prior art is not limited just to the references being applied, but includes the understanding of one of ordinary skill in the art. The prior art reference (or references when combined) need not teach or suggest all the claim limitations, however, Office personnel must explain why the difference(s) between the prior art and the claimed invention would have been obvious to one of ordinary skill in the art.”)
Regarding the combination of Park-Adjaoute-Kolman and Cook, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter of claims 1 and 2.
Regarding Claim 3
Park-Adjaoute-Kolman-Cook-Berggren discloses the method according to claim 2, and Park further discloses
further comprising: appending the consumer profile breach history (¶¶ [0029]-[0030], [0052]) to display one or more mitigation actions relative to one or more of the plurality of breach events, the mitigation actions detailing options available to the consumer for reducing risk and/or harm resulting from one or more of the plurality of breach events (¶ [0074], “For instance, cyber-security system 201 may close accounts which have not been accessed for a predetermined period of time such as greater than one year. In another embodiment, cyber-security system 201 may generate recommendations based on the identification of the sources of the subscriptions. In another embodiment, the consumer may determine that various accounts [that are also related to the risk of data breaches as taught by Adjaoute and Kolman] should be closed [as an option of a mitigation action to reduce risk] based on a review of the listings. In this case, a consumer may indicate via a user interface that various accounts should be closed and cyber-security system 201 may begin an account closing process for the consumer.”).
Regarding Claim 4
Park-Adjaoute-Kolman-Cook-Berggren discloses the method according to claim 3, and Park further discloses
further comprising: appending the consumer profile breach history to display one or more selectable links for the mitigation actions, the selectable links being selectable via the consumer user interface to direct the consumer to a resource interface for actioning a corresponding one of the mitigation actions (¶ [0074], noting that although Park is silent to the use of selectable links, the use of links or hyperlinks to select an option by a user via a graphical user interface is well established in the computer arts and would be obvious to one skilled in the arts. See MPEP § 2141(III), stating “Prior art is not limited just to the references being applied, but includes the understanding of one of ordinary skill in the art. The prior art reference (or references when combined) need not teach or suggest all the claim limitations, however, Office personnel must explain why the difference(s) between the prior art and the claimed invention would have been obvious to one of ordinary skill in the art.”).
Regarding Claim 5
Park-Adjaoute-Kolman-Cook-Berggren discloses the method according to claim 4, and Park further discloses
further comprising: prioritizing display of the mitigation actions to identify a relatively strongest one of mitigation actions, with each remaining mitigation actions ordered thereafter according to a level strength (¶ [0074], noting that although Park is silent to prioritizing display of the mitigation action, ordering options in order of effectiveness is well-known to those skilled in the art (i.e., presenting options randomly with no rhyme or reason would just be the handiwork of a poor programmer). See MPEP § 2141(III), stating “Prior art is not limited just to the references being applied, but includes the understanding of one of ordinary skill in the art. The prior art reference (or references when combined) need not teach or suggest all the claim limitations, however, Office personnel must explain why the difference(s) between the prior art and the claimed invention would have been obvious to one of ordinary skill in the art.”).
Regarding Claim 8
Park-Adjaoute-Kolman-Cook-Berggren discloses the method according to claim 1, and Park further discloses
further comprising: generating a breach notification to apprise the consumer of appending the consumer profile breach history with the breach events (¶ [0027], “For example, the cyber-security system 201 may determine that the credit card number corresponds to the consumer, and push [generate] an alert [breach notification] to an application on the user's [consumer] mobile computing device 210 notifying the user that their credit card number may have been breached.”).
Regarding Independent Claim 10
With respect to claim 10, a corresponding reasoning as given earlier for claim 1 applies, mutatis mutandis, to the subject matter of claim 10. Therefore, claim 10 is rejected, for similar reasons, under the grounds set forth for claim 1.
Regarding Claim 12
With respect to claim 12, a corresponding reasoning as given earlier for claim 2 applies, mutatis mutandis, to the subject matter of claim 12. Therefore, claim 12 is rejected, for similar reasons, under the grounds set forth for claim 2.
Regarding Claim 13
With respect to claim 13, a corresponding reasoning as given earlier for claims 4 and 8 applies, mutatis mutandis, to the subject matter of claim 13. Therefore, claim 13 is rejected, for similar reasons, under the grounds set forth for claims 4 and 8.
Regarding Claim 14
With respect to claim 14, a corresponding reasoning as given earlier for claim 2 applies, mutatis mutandis, to the subject matter of claim 14. Therefore, claim 14 is rejected, for similar reasons, under the grounds set forth for claim 2.
B. Claims 6-7 and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Park in view of Adjaoute, Kolman, Cook, and Berggren, and further in view of Lockhart (US 2017/0161520, “Lockhart”).
Regarding Claim 6
Park-Adjaoute-Kolman-Cook-Berggren discloses the method according to claim 4, and Park further discloses
further comprising: appending the consumer profile breach history (¶¶ [0029]-[0030], [0052]) to display…1,
2 ….
Park-Adjaoute-Kolman-Cook-Berggren doesn’t disclose
1 one or more potential harms relative to one or more of the breach events,
2 wherein the one or more potential harms correspond to a potential impact, injury, or damage to the consumer from one or more of the plurality of breach events.
Lockhart, however, discloses
1 one or more potential harms relative to one or more of the breach events (¶ [0100], “The aggregation may include the results from the comparison to the scraped data. In certain embodiments, the risk score may be based on a variety of data, including data about the breach event, data about the field that was matched (i.e., date of birth versus social security number), data about the frequency of the match (i.e., has this data been matched previously), data about other recent matches, and so on [that are relative to one or more of the breach events, with each breach event involving one of the different types of data, e.g., “date of birth” and “social security number”]. Based on the data, a risk score may be calculated that can reflect the probability that a particular piece of consumer data may be misused.”),
2 wherein the one or more potential harms correspond to a potential impact, injury, or damage to the consumer from one or more of the breach events (¶ [0100], “Based on the data, a risk score may be calculated that can reflect the probability that a particular piece of consumer data may be misused [that is correlated to potential harms correspond to a potential impact, injury, or damage].”).
Regarding the combination of Park-Adjaoute-Kolman-Cook-Berggren and Lockhart, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify risk assessment system of Park-Adjaoute-Kolman-Cook-Berggren to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the risk assessment system of Park-Adjaoute-Kolman-Cook-Berggren, upon which the claimed invention can be seen as an “improvement” through the use of an impact probability feature;
2) the prior art contained a “comparable” system, namely the security system of Kolman, that has been improved in the same way as the claimed invention through the use of an impact probability feature; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the use of an impact probability feature to the base risk assessment system of Park-Adjaoute-Kolman-Cook-Berggren, and the results would have been predictable to one of ordinary skill in the art.
Regarding Claim 7
Park in view of Adjaoute and Kolman, and further in view of Lockhart (“Park-Adjaoute-Kolman-Cook-Berggren-Lockhart”) discloses the method according to claim 6, and Park further discloses
further comprising: appending the consumer profile breach history (¶¶ [0029]-[0030], [0052]) to display…1,
2 ….
Lockhart further discloses
1 …an element risk score for each of the potential harms (¶ [0100], “The aggregation may include the results from the comparison to the scraped data. In certain embodiments, the risk score may be based on a variety of data, including data about the breach event, data about the field that was matched (i.e., date of birth versus social security number), data about the frequency of the match (i.e., has this data been matched previously), data about other recent matches, and so on. Based on the data, a risk score may be calculated that can reflect the probability that a particular [elemental] piece of consumer data may be misused [as a potential harm].”),
2 the element risk scores providing a relative indicator of risk to the consumer for the corresponding one of the potential harms (¶ [0100], i.e., a higher “probability” for “misuse[]” provides a relative indicator of risk to the consumer).
Regarding the combination of Park-Adjaoute-Kolman-Cook-Berggren and Lockhart, the rationale to combine is the same as provided for claim 6 due to the overlapping subject matter of claims 6 and 7.
Regarding Claim 15
With respect to claim 15, a corresponding reasoning as given earlier for claim 6 applies, mutatis mutandis, to the subject matter of claim 15. Therefore, claim 15 is rejected, for similar reasons, under the grounds set forth for claim 6.
Regarding Claim 16
With respect to claim 16, a corresponding reasoning as given earlier for claim 7 applies, mutatis mutandis, to the subject matter of claim 16. Therefore, claim 16 is rejected, for similar reasons, under the grounds set forth for claim 7.
Regarding Claim 17
With respect to claim 17, a corresponding reasoning as given earlier for claim 3 applies, mutatis mutandis, to the subject matter of claim 17. Therefore, claim 17 is rejected, for similar reasons, under the grounds set forth for claim 3.
Regarding Independent Claim 18
With respect to claim 18, a corresponding reasoning as given earlier for claims 1, 3, and 6 applies, mutatis mutandis, to the subject matter of claim 17. Therefore, claim 18 is rejected, for similar reasons, under the grounds set forth for claim 1, 3, and 6.
Regarding Claim 19
With respect to claim 19, a corresponding reasoning as given earlier for claims 3 and 6 applies, mutatis mutandis, to the subject matter of claim 19. Therefore, claim 19 is rejected, for similar reasons, under the grounds set forth for claims 3 and 6.
Regarding Claim 20
With respect to claim 20, a corresponding reasoning as given earlier for claim 7 applies, mutatis mutandis, to the subject matter of claim 20. Therefore, claim 20 is rejected, for similar reasons, under the grounds set forth for claim 7.
C. Claims 9 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Park in view of Adjaoute, Kolman, Cook, and Berggren, and further in view of Theebaprakasam et al. (US 2015/0082396, “Theebaprakasam”).
Regarding Claim 9
Park-Adjaoute-Kolman-Cook-Berggren discloses the method according to claim 1, and Park further discloses
further comprising: accessing the electronic transaction account…1 (¶ [0055])
Park-Adjaoute-Kolman-Cook-Berggren doesn’t disclose
1 …via a network using an account plug-in for the electronic transaction account.
Theebaprakasam, however, discloses
1 …via a network using an account plug-in for the electronic transaction account (Fig. 2, ¶ [0054], “FIG. 3 depicts an example implementation of a plug-in framework 302 that may be implemented by the plug-in module 148 of FIG. 1. In some examples, the account management service computers 108 may implement an account manager 304 (e.g., implemented by the account module 152 of FIG. 1) for providing access the secure resources of a target [electronic transition] account. As noted, the plug-in framework 302 may enable customers to provide customer code (e.g., plug-in code) 306(1)-(N), collectively customer code 306, for setting rules, privileges, APIs, and/or workflows for accessing [via a network] the target resources.”).
Regarding the combination of Park-Adjaoute-Kolman-Cook-Berggren and Theebaprakasam, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify risk assessment system of Park-Adjaoute-Kolman-Cook-Berggren to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the risk assessment system of Park-Adjaoute-Kolman-Cook-Berggren, upon which the claimed invention can be seen as an “improvement” through the use of a plug-in feature;
2) the prior art contained a “comparable” system, namely the network system of Theebaprakasam, that has been improved in the same way as the claimed invention through the use of a plug-in feature; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the use of a plug-in feature to the base risk assessment system of Park-Adjaoute-Kolman-Cook-Berggren, and the results would have been predictable to one of ordinary skill in the art.
Regarding Dependent Claim 11
With respect to claim 11, a corresponding reasoning as given earlier for claim 9 applies, mutatis mutandis, to the subject matter of claim 11. Therefore, claim 11 is rejected, for similar reasons, under the grounds set forth for claim 9.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to D'ARCY WINSTON STRAUB whose telephone number is (303)297-4405. The examiner can normally be reached Monday-Friday 9:00-5:00 Mountain Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, WILLIAM KORZUCH can be reached at (571)272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/D'Arcy Winston Straub/Primary Examiner, Art Unit 2491