DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination (RCE) under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on November 25, 2025 has been entered.
Response to Amendments
This office action is responsive to application 18/473,760 and the RCE filed on November 25, 2025. Claims 1-3, 6, 10, 14-15, and 17-19 are amended, and claims 1-20 remain pending in the application.
Response to Arguments
The Examiner has fully considered the Applicant’s arguments filed with the RCE, and the Examiner responds as provided below.
Regarding the Applicant’s response at pages 8-14 of the Remarks that concerns the § 103 rejection, the Applicant’s arguments in conjunction with the claim amendments are persuasive, and consequently the Examiner conducted a new prior art search. The Applicant’s arguments are now moot with respect to the pending claims because the arguments do not apply to some of the references currently used in the rejection of the aforementioned claims as detailed below.
Regarding the Applicant’s response at page 14 of the Remarks that concerns the double patenting rejection, the amendments to the claims take the instant claimed subject matter outside the purview of US Patent No. 11,768,934 and the double patenting rejection is withdrawn.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The following conventions apply to the mapping of the prior art to the claims:
Italicized text – claim language.
Parenthetical plain text – Examiner’s citation and explanation.
Citation without an explanation – an explanation has been previously provided for the respective limitation(s).
Quotation marks – language quoted from a prior art reference.
Underlining – language quoted from a claim.
Brackets – material altered from either a prior art reference or a claim, which includes the Examiner’s explanation that relates a claim limitation to the quoted material of a reference.
Braces – a limitation taught by another reference, but the limitation is presented with the mapping of the instant reference for context.
Numbered superscript – a first phrase to be moved upwards to the primary reference analysis.
Lettered superscript – a second phrase to be moved after the movement of the first phrase from which it was lifted, or more succinctly, move numbered material first, lettered material last.
A. Claims 1-5, 8, 10, and 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Park et al. (US 2018/0026996, “Park”) in view of Adjaoute (2015/0073891, “Adjaoute”), and further in view of Kolman et al. (US 9,558,346, “Kolman”), Cook et al. (US 2017/0161746, “Cook”), and Berggren (US 2009/0086977, “Berggren”).
Regarding Claim 1
Park discloses
A method for apprising a consumer of an accumulated risk resulting from data breaches (¶ [0065], “In another embodiment, the cyber-security system 201 may notify [apprise] the consumer of the action event [data breach]. To reduce the impact [risk] of a data breach, it may be advantageous to notify the consumer and/or services associated with the data breach.”, noting it would be obvious to one skilled in the art to notify a consumer for each data breach that leads to an accumulated risk for the data breaches for multiple data breaches; and ¶ [0054], “In some instances, the cyber-traffic event analysis system may continually compile consumer data based on [breached] data found on the Internet. For example, the cyber-traffic event analysis system may monitor dark web pages for credit card numbers [resulting from data breaches], addresses, phone numbers, etc.”),
comprising:
receiving enrollment information for the consumer (¶ [0052], “In another example, the consumer may register [enroll] to receive a digital safety score. As part of the registration, the consumer may be presented with a list of accounts [enrollment information], and may be asked to give [and thereby receive] credentials for the accounts [as further enrollment information for the consumer].”);
generating a consumer profile breach history for the consumer based on the enrollment information (¶ [0052], “As part of the registration, the consumer may be presented with a list of accounts,... [enrollment information]”; ¶ [0029], “If an account is breached (or if suspicious activity is detected), the cyber-security system 201 may be notified [and the breach history generated and stored for future reference]. The cyber-security system 201 may then notify the consumer [of the information comprising the consumer profile breach history], such as by sending an alert to a user computing device 208 and/or user mobile computing device 210.”; and ¶ [0030], “In an embodiment, the collected user [enrollment] information may be used to generate a consumer profile for the consumer. The consumer profile may be updated periodically [that encompasses history for the consumer] as new consumer information is gathered or received.”);
accessing an electronic transaction account associated with the consumer (¶ [0055], “In yet another embodiment, the cyber-security system 201 may compare the consumer information with data known to correspond to the consumer. In some instances, the cyber-security system 201 may determine if data compiled by the cyber-traffic event analysis system matches data associated with the consumer. For example, the cyber-security system 201 may determine if a credit card number previously found on a dark web page and stored in a database of detected credit card numbers [with each credit card number associated with a respective transaction account] matches a credit card number entered by the consumer [and thus, the transaction account is accessed to enable the “match[ing]” ].”),
the electronic transaction account configured to execute a consumer transaction between the consumer and a party to the consumer transaction (¶ [0055], “For example, the cyber-security system 201 may determine if a credit card number [and the associated electronic transaction account being configured to execute a consumer transaction between the consumer and party to the consumer transaction] previously found on a dark web page and stored in a database of detected credit card numbers [transaction account] matches a credit card number entered by the consumer [and thus, the transaction account is accessed to enable the “match[ing]” ].”);
1 …;
accessing breach information for a plurality of data breaches (¶ [0055], “For example, the cyber-security system 201 may determine if a credit card number previously found [accessed] on a dark web page and stored in a database of detected credit card numbers [as breach information for a plurality of data breaches] matches a credit card number entered by the consumer.”; see also Adjaoute ¶¶ [0168]-[0170], “In tests with historical transaction data [breach information for a plurality of data breaches] involving Target Corporation Stores, fraud scores such as these rose sharply at the same time the criminals begin their ‘test and try’ activity. E.g., the first week of December.”);
comparing the electronic transaction information with the breach information to determine a plurality of breach events (¶ [0055], “For example, the cyber-security system 201 may determine if a credit card number previously found on a dark web page and stored in a database of detected credit card numbers matches [via a comparison] a credit card number entered by the consumer.”; see also Adjaoute ¶¶ [0169]-[0170], “In tests with historical transaction data involving Target Corporation Stores, fraud scores [based upon breach events] such as these rose sharply at the same time the criminals begin their ‘test and try’ activity. E.g., the first week of December. The following Table is of selected key variables that were used to drive the analytics [comparisons].”),
the plurality of breach events representing a matching of the electronic transaction information with the breach information of a corresponding one of the data breaches (¶ [0055], “For example, the cyber-security system 201 may determine if a credit card number previously found on a dark web page [and associated breach events] and stored in a database of detected credit card numbers matches a credit card number entered by the consumer [and corresponding electronic transaction information as taught by Adjaoute ¶ [0168]].”; see also Adjaoute ¶¶ [0169]-[0170], “In tests with historical transaction data involving Target Corporation Stores, fraud scores such as these rose sharply at the same time the criminals begin their ‘test and try’ activity. E.g., the first week of December. The following Table is of selected key variables that were used to drive the analytics [to observe the matching of electronic transaction information to the breach information of a corresponding one of the data breaches].”);
2 …; and
appending the consumer profile breach history with one or more accumulated harm risk scores, (¶ [0052], “In another example, the consumer may register to receive a digital safety score [an accumulated harm risk score that is appended to the consumer profile breach history of a respective consumer via the storing of all relevant consumer information in a relational database].”; ¶¶ [0045]-[0047], “A digital safety score [accumulated harm risk score] 405 may be a rating and/or representation of different components which contribute to the risk of a data breach of an associated consumer. The digital safety score 405 may be a numeric value that indicates the risk of a data breach. While the description herein assumes a higher score reflects a lower chance of a data breach, any algorithm for determining the value may be used.”; and ¶¶ [0037]-[0038], “In some embodiments, the cyber-security system 201 may determine when and through which means to notify a consumer of the risks of a data breach and/or evidence of a data breach according to preset rules and strategies calculated from the data gathered from the information data sources 304 a-n.”, i.e., the calculated risk is based upon the accumulated “data sources,” and thus the probability calculated is an “accumulated risk.”),
3 ….
Park doesn’t disclose
1 generating electronic transaction information for the consumer transaction;
2 appending the consumer profile breach history with a breach listing, the breach listing identifying the plurality of breach events and identifying a plurality of breached organizations wherein each breached organization corresponds to a respective breach event in the plurality of breach events;
3 wherein each of the one or more accumulated harm risk scores corresponds to each respective breach event from the plurality of breach events and provides a relative indicator of risk accumulated for the consumer as a cumulative result of breach information elements corresponding to the respective breach event.
Adjaoute, however, discloses
1 generating electronic transaction information for the consumer transaction (¶¶ [0168]-[0170], “Data breach detection system 1500 focuses on the correlations between cardholders, merchants, and transaction dates [collectively electronic transaction information] in transactions receiving high risk fraud scores [with the scores relying upon the use of generated electronic transaction information], e.g., 118 (FIG. 1), 428 (FIG. 4), 552 (FIG. 5), 728 (FIGS. 7), and 1414 (FIG. 14).”; and ¶ [0024], “Briefly, an artificial intelligence data breach detection embodiment of the present invention detects breaches of secure payment card data by analyzing real-time transaction records [electronic transaction information] as they flow in. On-going searches are made by analyzing the high risk transactions daily and comparing them with behaviors days, weeks, and month. A table of cards with the first known fraud dates is created. An investigation is launched into the merchants with suspect transactions.”);
Regarding the combination of Park and Adjaoute, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify risk assessment system of Park to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the risk assessment system of Park, upon which the claimed invention can be seen as an “improvement” through the use of generating electronic transaction information;
2) the prior art contained a “comparable” system, namely the security system of Adjaoute, that has been improved in the same way as the claimed invention through the generating electronic transaction information; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the generation of electronic transaction information to the base risk assessment system of Park, and the results would have been predictable to one of ordinary skill in the art.
Kolman, however, discloses
2 appending the consumer profile breach history with a breach listing, the breach listing identifying the one or more breach events and…a (Fig. 3, Col. 9:14-25, “FIG. 3 shows a screen shot 300 of the user interface 118. In this embodiment, the user interface presents a [breach] list of detected events [associated and appended to the consumer profile breach history within the database of the breach system] responsive to actuation of an incidents tab 302. In this context, and as indicated previously, an ‘incident’ is considered an example of a type of security-related event as the latter term is broadly utilized herein. The events shown in the screen shot 300 are presented in order of decreasing learned riskiness, based on the corresponding ordered list of risk scores shown in column 304. As noted above, at least a subset of these risk scores are assumed to be determined based on feedback as processed by the classifier 114A.”);
3 wherein each of the one or more accumulated harm risk scores corresponds to each respective breach event from the plurality of breach events and…b (see Cook below) (Fig. 3, Col. 9:14-25, “The events shown in the screen shot 300 are presented in order of decreasing learned riskiness, based on the corresponding ordered list of risk scores [corresponding to the accumulated risk scores as disclosed by Park ¶¶ [0045]-[0047], [0052]] shown in column 304.”).
Regarding the combination of Park-Adjaoute and Kolman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify risk assessment system of Park-Adjaoute to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the risk assessment system of Park-Adjaoute, upon which the claimed invention can be seen as an “improvement” through the use of a breach-list feature;
2) the prior art contained a “comparable” system, namely the security system of Kolman, that has been improved in the same way as the claimed invention through the use of a breach-list feature; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the use of a breach-list feature to the base risk assessment system of Park-Adjaoute, and the results would have been predictable to one of ordinary skill in the art.
Cook, however, discloses
b … provides a relative indicator of risk accumulated for the consumer as a cumulative result of breach information elements corresponding to the respective breach event (Fig. 8, ¶ [0064], “At 808, the method 800 may include returning a risk score to a destination device based on the comparison. In certain embodiments, the results from the comparisons [that yield a relative indicator of risk] (whether from the local PII database or from the compromised companies) may be aggregated [accumulated risk] and analyzed to determine the risk score. In certain embodiments, the risk score may be based on a variety of data, including data about the [respective] breach event, data about the field that was matched (i.e., date of birth versus social security number [as two types of breach information elements associated with the respective breach event]), data about the frequency of the match (i.e., has this data been matched previously), data about other recent matches, and so on. Based on the data, a risk score may be calculated that can reflect the probability that a particular piece of consumer data may be misused.”).
Regarding the combination of Park-Adjaoute-Kolman and Cook, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify risk assessment system of Park-Adjaoute-Kolman to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the risk assessment system of Park-Adjaoute-Kolman, upon which the claimed invention can be seen as an “improvement” through the use of a breach-information element feature;
2) the prior art contained a “comparable” system, namely the security system of Cook, that has been improved in the same way as the claimed invention through the use of a breach-information element feature; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the use of a breach-information element feature to the base risk assessment system of Park-Adjaoute-Kolman, and the results would have been predictable to one of ordinary skill in the art.
Berggren, however, discloses
a …identifying a plurality of breached organizations wherein each breached organization corresponds to a respective breach event in the plurality of breach events (¶ [0045], “When validation authority 72 is queried as to the status of a certificate, validation authority 72 will determine [identify] the trust status of each and every entity listed in trust relationship 100. An exhaustive check is required because a security breach for any entity [organization] listed in trust relationship 100 shows that private key 36 may have been acquired [within a respective breach event] by a party other than user 140. Moreover, user 140 may further invalidate certificate 50 in case of a theft or a loss of exclusive control of private key 36.”);
Regarding the combination of Park-Adjaoute-Kolman-Cook and Berggren, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify risk assessment system of Park-Adjaoute-Kolman to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the risk assessment system of Park-Adjaoute-Kolman-Cook, upon which the claimed invention can be seen as an “improvement” through the use of a breached organization listing feature;
2) the prior art contained a “comparable” system, namely the security system of Berggren, that has been improved in the same way as the claimed invention through the use of a breached organization listing feature; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the use of a breached organization listing feature to the base risk assessment system of Park-Adjaoute-Kolman-Cook, and the results would have been predictable to one of ordinary skill in the art.
Regarding Claim 2
Park in view of Adjaoute, and further in view of Kolman, Cook and Berggren (“Park-Adjaoute-Kolman-Cook-Berggren”) discloses the method according to claim 1, and Park further discloses
further comprising: displaying the consumer profile breach history (¶¶ [0029]-[0030], [0052]) with the {breach listing (Kolman Fig. 3, Col. 9:14-25)}, {the plurality of breached organizations (Berggren ¶ [0045])}, and the one or more accumulated harm risk scores (at least Fig. 4, ¶¶ [0047], [0052]) via a consumer user interface operable on a computing device (¶ [0044], “FIG. 4 illustrates a user interface 400 displaying an example rating screen for a digital safety score 405 [i.e., it would be obvious to one skilled in the art to display any information to a consumer relevant to a data breach and the associated security risk]. In some examples, these [consumer] user interfaces may be generated by an application server, web application 224, user computing device 208, and/or user mobile computing device 210.”).
Regarding the combination of Park-Adjaoute and Kolman, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter of claims 1 and 2.
Regarding the combination of Park-Adjaoute-Kolman-Cook and Berggren, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter of claims 1 and 2.
Regarding Claim 3
Park-Adjaoute-Kolman-Cook-Berggren discloses the method according to claim 2, and Park further discloses
further comprising: appending the consumer profile breach history (¶¶ [0029]-[0030], [0052]) to display one or more mitigation actions relative to one or more of the plurality of breach events, the mitigation actions detailing options available to the consumer for reducing risk and/or harm resulting from one or more of the plurality of breach events (¶ [0074], “For instance, cyber-security system 201 may close accounts which have not been accessed for a predetermined period of time such as greater than one year. In another embodiment, cyber-security system 201 may generate recommendations based on the identification of the sources of the subscriptions. In another embodiment, the consumer may determine that various accounts [that are also related to the risk of data breaches as taught by Adjaoute and Kolman] should be closed [as an option of a mitigation action to reduce risk] based on a review of the listings. In this case, a consumer may indicate via a user interface that various accounts should be closed and cyber-security system 201 may begin an account closing process for the consumer.”).
Regarding Claim 4
Park-Adjaoute-Kolman-Cook-Berggren discloses the method according to claim 3, and Park further discloses
further comprising: appending the consumer profile breach history to display one or more selectable links for the mitigation actions, the selectable links being selectable via the consumer user interface to direct the consumer to a resource interface for actioning a corresponding one of the mitigation actions (¶ [0074], noting that although Park is silent to the use of selectable links, the use of links or hyperlinks to select an option by a user via a graphical user interface is well established in the computer arts and would be obvious to one skilled in the arts. See MPEP § 2141(III), stating “Prior art is not limited just to the references being applied, but includes the understanding of one of ordinary skill in the art. The prior art reference (or references when combined) need not teach or suggest all the claim limitations, however, Office personnel must explain why the difference(s) between the prior art and the claimed invention would have been obvious to one of ordinary skill in the art.”).
Regarding Claim 5
Park-Adjaoute-Kolman-Cook-Berggren discloses the method according to claim 4, and Park further discloses
further comprising: prioritizing display of the mitigation actions to identify a relatively strongest one of mitigation actions, with each remaining mitigation actions ordered thereafter according to a level strength (¶ [0074], noting that although Park is silent to prioritizing display of the mitigation action, ordering options in order of effectiveness is well-known to those skilled in the art (i.e., presenting options randomly with no rhyme or reason would just be the handiwork of a poor programmer). See MPEP § 2141(III), stating “Prior art is not limited just to the references being applied, but includes the understanding of one of ordinary skill in the art. The prior art reference (or references when combined) need not teach or suggest all the claim limitations, however, Office personnel must explain why the difference(s) between the prior art and the claimed invention would have been obvious to one of ordinary skill in the art.”).
Regarding Claim 8
Park-Adjaoute-Kolman-Cook-Berggren discloses the method according to claim 1, and Park further discloses
further comprising: generating a breach notification to apprise the consumer of appending the consumer profile breach history with the breach events (¶ [0027], “For example, the cyber-security system 201 may determine that the credit card number corresponds to the consumer, and push [generate] an alert [breach notification] to an application on the user's [consumer] mobile computing device 210 notifying the user that their credit card number may have been breached.”).
Regarding Independent Claim 10
With respect to claim 10, a corresponding reasoning as given earlier for claim 1 applies, mutatis mutandis, to the subject matter of claim 10. Therefore, claim 10 is rejected, for similar reasons, under the grounds set forth for claim 1.
Regarding Claim 12
With respect to claim 12, a corresponding reasoning as given earlier for claim 2 applies, mutatis mutandis, to the subject matter of claim 12. Therefore, claim 12 is rejected, for similar reasons, under the grounds set forth for claim 2.
Regarding Claim 13
With respect to claim 13, a corresponding reasoning as given earlier for claims 4 and 8 applies, mutatis mutandis, to the subject matter of claim 13. Therefore, claim 13 is rejected, for similar reasons, under the grounds set forth for claims 4 and 8.
Regarding Claim 14
With respect to claim 14, a corresponding reasoning as given earlier for claim 2 applies, mutatis mutandis, to the subject matter of claim 14. Therefore, claim 14 is rejected, for similar reasons, under the grounds set forth for claim 2.
B. Claims 6-7 and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Park in view of Adjaoute, Kolman, Cook, and Berggren, and further in view of Lockhart (US 2017/0161520, “Lockhart”).
Regarding Claim 6
Park-Adjaoute-Kolman-Cook-Berggren discloses the method according to claim 4, and Park further discloses
further comprising: appending the consumer profile breach history (¶¶ [0029]-[0030], [0052]) to display…1,
2 ….
Park-Adjaoute-Kolman-Cook-Berggren doesn’t disclose
1 one or more potential harms relative to one or more of the breach events,
2 wherein the one or more potential harms correspond to a potential impact, injury, or damage to the consumer from one or more of the plurality of breach events.
Lockhart, however, discloses
1 one or more potential harms relative to one or more of the breach events (¶ [0100], “The aggregation may include the results from the comparison to the scraped data. In certain embodiments, the risk score may be based on a variety of data, including data about the breach event, data about the field that was matched (i.e., date of birth versus social security number), data about the frequency of the match (i.e., has this data been matched previously), data about other recent matches, and so on [that are relative to one or more of the breach events, with each breach event involving one of the different types of data, e.g., “date of birth” and “social security number”]. Based on the data, a risk score may be calculated that can reflect the probability that a particular piece of consumer data may be misused.”),
2 wherein the one or more potential harms correspond to a potential impact, injury, or damage to the consumer from one or more of the breach events (¶ [0100], “Based on the data, a risk score may be calculated that can reflect the probability that a particular piece of consumer data may be misused [that is correlated to potential harms correspond to a potential impact, injury, or damage].”).
Regarding the combination of Park-Adjaoute-Kolman-Cook-Berggren and Lockhart, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify risk assessment system of Park-Adjaoute-Kolman-Cook-Berggren to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the risk assessment system of Park-Adjaoute-Kolman-Cook-Berggren, upon which the claimed invention can be seen as an “improvement” through the use of an impact probability feature;
2) the prior art contained a “comparable” system, namely the security system of Kolman, that has been improved in the same way as the claimed invention through the use of an impact probability feature; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the use of an impact probability feature to the base risk assessment system of Park-Adjaoute-Kolman-Cook-Berggren, and the results would have been predictable to one of ordinary skill in the art.
Regarding Claim 7
Park in view of Adjaoute and Kolman, and further in view of Lockhart (“Park-Adjaoute-Kolman-Cook-Berggren-Lockhart”) discloses the method according to claim 6, and Park further discloses
further comprising: appending the consumer profile breach history (¶¶ [0029]-[0030], [0052]) to display…1,
2 ….
Lockhart further discloses
1 …an element risk score for each of the potential harms (¶ [0100], “The aggregation may include the results from the comparison to the scraped data. In certain embodiments, the risk score may be based on a variety of data, including data about the breach event, data about the field that was matched (i.e., date of birth versus social security number), data about the frequency of the match (i.e., has this data been matched previously), data about other recent matches, and so on. Based on the data, a risk score may be calculated that can reflect the probability that a particular [elemental] piece of consumer data may be misused [as a potential harm].”),
2 the element risk scores providing a relative indicator of risk to the consumer for the corresponding one of the potential harms (¶ [0100], i.e., a higher “probability” for “misuse[]” provides a relative indicator of risk to the consumer).
Regarding the combination of Park-Adjaoute-Kolman-Cook-Berggren and Lockhart, the rationale to combine is the same as provided for claim 6 due to the overlapping subject matter of claims 6 and 7.
Regarding Claim 15
With respect to claim 15, a corresponding reasoning as given earlier for claim 6 applies, mutatis mutandis, to the subject matter of claim 15. Therefore, claim 15 is rejected, for similar reasons, under the grounds set forth for claim 6.
Regarding Claim 16
With respect to claim 16, a corresponding reasoning as given earlier for claim 7 applies, mutatis mutandis, to the subject matter of claim 16. Therefore, claim 16 is rejected, for similar reasons, under the grounds set forth for claim 7.
Regarding Claim 17
With respect to claim 17, a corresponding reasoning as given earlier for claim 3 applies, mutatis mutandis, to the subject matter of claim 17. Therefore, claim 17 is rejected, for similar reasons, under the grounds set forth for claim 3.
Regarding Independent Claim 18
With respect to claim 18, a corresponding reasoning as given earlier for claims 1, 3, and 6 applies, mutatis mutandis, to the subject matter of claim 17. Therefore, claim 18 is rejected, for similar reasons, under the grounds set forth for claim 1, 3, and 6.
Regarding Claim 19
With respect to claim 19, a corresponding reasoning as given earlier for claims 3 and 6 applies, mutatis mutandis, to the subject matter of claim 19. Therefore, claim 19 is rejected, for similar reasons, under the grounds set forth for claims 3 and 6.
Regarding Claim 20
With respect to claim 20, a corresponding reasoning as given earlier for claim 7 applies, mutatis mutandis, to the subject matter of claim 20. Therefore, claim 20 is rejected, for similar reasons, under the grounds set forth for claim 7.
C. Claims 9 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Park in view of Adjaoute, Kolman, Cook, and Berggren, and further in view of Theebaprakasam et al. (US 2015/0082396, “Theebaprakasam”).
Regarding Claim 9
Park-Adjaoute-Kolman-Cook-Berggren discloses the method according to claim 1, and Park further discloses
further comprising: accessing the electronic transaction account…1 (¶ [0055])
Park-Adjaoute-Kolman-Cook-Berggren doesn’t disclose
1 …via a network using an account plug-in for the electronic transaction account.
Theebaprakasam, however, discloses
1 …via a network using an account plug-in for the electronic transaction account (Fig. 2, ¶ [0054], “FIG. 3 depicts an example implementation of a plug-in framework 302 that may be implemented by the plug-in module 148 of FIG. 1. In some examples, the account management service computers 108 may implement an account manager 304 (e.g., implemented by the account module 152 of FIG. 1) for providing access the secure resources of a target [electronic transition] account. As noted, the plug-in framework 302 may enable customers to provide customer code (e.g., plug-in code) 306(1)-(N), collectively customer code 306, for setting rules, privileges, APIs, and/or workflows for accessing [via a network] the target resources.”).
Regarding the combination of Park-Adjaoute-Kolman-Cook-Berggren and Theebaprakasam, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify risk assessment system of Park-Adjaoute-Kolman-Cook-Berggren to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the risk assessment system of Park-Adjaoute-Kolman-Cook-Berggren, upon which the claimed invention can be seen as an “improvement” through the use of a plug-in feature;
2) the prior art contained a “comparable” system, namely the network system of Theebaprakasam, that has been improved in the same way as the claimed invention through the use of a plug-in feature; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the use of a plug-in feature to the base risk assessment system of Park-Adjaoute-Kolman-Cook-Berggren, and the results would have been predictable to one of ordinary skill in the art.
Regarding Dependent Claim 11
With respect to claim 11, a corresponding reasoning as given earlier for claim 9 applies, mutatis mutandis, to the subject matter of claim 11. Therefore, claim 11 is rejected, for similar reasons, under the grounds set forth for claim 9.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to D'ARCY WINSTON STRAUB whose telephone number is (303)297-4405. The examiner can normally be reached Monday-Friday 9:00-5:00 Mountain Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, AMIR MEHRMANESH can be reached at (571)270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/D'Arcy Winston Straub/Primary Examiner, Art Unit 2491