Patent Application Titled “Systems And Methods For Identification And Management Of Compliance-Related Information Associated With Enterprise It Networks” Published Online (USPTO 20230162060): Patent Application

2023 JUN 12 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- According to news reporting originating from Washington, D.C., by NewsRx journalists, a patent application by the inventors NICKL, Ralph (Reston, VA, US); SEARS, Oran (Reston, VA, US), filed on January 9, 2023, was made available online on May 25, 2023.

No assignee for this patent application has been made.

Reporters obtained the following quote from the background information supplied by the inventors: “According to Statista.com, in 2019, 1,473 data breaches were reported in the United States, which exposed over 164.68 million sensitive records. In the first half of 2020, 540 data breaches were reported. As would be appreciated, a data breach occurs when a cybercriminal (a/k/a “hacker”) exfiltrates private data from a network, device, or system. This can be done by the hacker’s accessing of a computer or a device to expropriate stored thereon or by bypassing network security remotely to gain access to the data files stored in or associated with the network. While most reported data breaches can be attributed to hacking or malware attacks by third parties with nefarious intentions, other breaches can be attributed to insider leaks, payment card fraud, loss or theft of a physical hard drive of files, and human error. Data breaches can be quite expensive to organizations that own or are responsible for the data involved in the data breach event. Costs associated with addressing data breaches typically include tangible costs related to regulatory compliance (e.g., notification of affected individuals/organizations/regulatory agencies), remediation (e.g., repairing/hardening the network, providing security to affected individuals/organization), and liability payments (e.g., damages paid to affected individuals/organizations, penalties/penalties paid to regulatory agencies) investigation. Indirect costs (reputational damages, providing cyber security to victims of compromised data, etc.) often also result.

“The subject matters of data files involved in data breaches will vary according to the business use case for the enterprise IT network that is breached by the data hack. To this end, data breach events may be associated with personal or company financial information such as credit card or bank details, an individual’s personal health information (“PHI”), an individual’s personally identifiable information (“PII”), or intellectual property, among other things.

“A familiar example of a data breach is when a hacker gains unauthorized access into a corporate network and exfiltrates sensitive data out of one or more databases accessible via the hacker’s point of entry. However, not all breaches are associated with bad intent. If an unauthorized hospital employee views a patient’s health information on a computer screen over the shoulder of an authorized employee, that also constitutes a data breach as defined by the regulatory frameworks associated with private health information.

“Data breaches can occur when employees use weak passwords, when known software errors are exploited and when computers and mobile devices that are associated with a network are lost or stolen. Users’ connections to rogue wireless networks that capture login credentials or other sensitive information in transit can also lead to unauthorized exposures. Social engineering-especially attacks carried out via email phishing-can lead to users providing their login credentials directly to attackers or through subsequent malware infections. Criminals can then use the credentials they obtained to gain entry to sensitive systems and records-access which often can go undetected for months, or even indefinitely. Threat actors can also target third-party business partners in order to gain access to large organizations; such incidents typically involve hackers compromising less secure businesses to obtain access to the primary target on which networks valuable information resides.

“In the US, there is no comprehensive federal law that regulates the rights of data owners and the attendant obligations of those organizations or enterprises that are fully or partly responsible for a data breach. A wide variety of industry guidelines and government compliance regulations mandate strict control of sensitive data types with a goal of preventing unauthorized access thereto that constitutes a data breach. Within a corporate environment, for example, the Payment Card Industry Data Security Standard (“PCIDSS”) defines who may handle and use PII, such as credit card numbers when available in conjunction with the cardholders’ names and addresses. Within a healthcare environment, the Health Insurance Portability and Accountability Act (“HIPAA”) regulates who may see and use PHI, such as a patient’s name, date of birth, and healthcare diagnoses and treatments. There are also specific requirements for the reporting of data breaches via HIPAA-and its Health Information Technology for Economic and Clinical Health (HITECH) Act and Omnibus Rule-as well as the various state breach notification laws. The consequences of intellectual property data breaches can lead to significant legal disputes, as well as business losses if the breach is made public.

“In the absence of comprehensive US federal government regulation, many states have enacted data breach notification laws that require both private and public entities to notify individuals, whether customers, consumers or users, of breaches involving certain types of data, such as PII. The deadline to notify individuals affected by breaches can vary from state to state, and the specific notification requirements of each jurisdiction can differ markedly, thus making it somewhat onerous for those bearing compliance-related responsibilities associated with data breaches to meet their notification obligations. This is especially true since most companies that are susceptible to data breaches engage in internet commerce, which means that their customers should be considered to be located in each of the 50 states. It follows that it may be necessary to perform individualized compliance activities for every state and, as such, compliance with the various regulatory obligations associated with a single data breach event can be quite complex. Moreover, given the short time deadlines associated with some of the jurisdictions (e.g., Colorado and Florida have 30 day provisions), time is of the essence in identifying those affected by a data breach and determining the nature and content of the data that may have been associated with the data breach.

“In the US, the California Consumer Privacy Act (“CCPA”) came into effect in early 2020. This law is the most stringent in the US today and since many, if not most, companies that transact business in the US will likely interact with California residents, the provisions of this law are of intense interest. Broadly, the CCPA gives consumers more control over the personal information that businesses collect about them by providing persons with a number of rights:

“

“the right to know about the personal information a business collects about them and how it is used and shared;

“the right to delete personal information collected from them (with some exceptions);

“the right to opt-out of the sale of their personal information; and

“the right to non-discrimination for exercising their CCPA rights.

“

“The California Consumer Privacy Act (“CCPA”) (A.B. 375) is applicable to for-profit businesses that collect and control California residents’ personal information, do business in the state of California, and meet at least one of the following thresholds:

“

“Annual gross revenues larger than $25 million;

“Receive or disclose the personal information of 50,000 or more California residents, households, or devices each year; or

“Make 50 percent or greater annual revenue from selling California residents’ personal information.

“

“Outside of the US, other various regulatory frameworks exist for data protection and deadlines for notification of affected persons, as well as for penalties for non-compliance with data privacy mandates. The most well-known, and likely the one of the most important in this modern world of global commerce, is the European Union General Data Protection Regulation (“GDPR”). The GDPR not only applies to organizations located within the EU but also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects, that is, persons. In addition to data breach notifications, organizations that collect personal data from individuals must take affirmative steps to ensure that internal checks are placed on access to private information. Thus, GDPR requires internal audits to ensure that only authorized persons are allowed to access private information.”

There is additional background information. Please visit full patent to read further.”

In addition to obtaining background information on this patent application, NewsRx editors also obtained the inventors’ summary information for this patent application: “Aspects of the present disclosure are related to identification and management of compliance-related information associated with data breach events. In one aspect, among others, a method of managing compliance-related activities after a data breach associated with an enterprise IT network comprises receiving, by at least one computer, a first data file collection associated with a first data breach event. The first data file collection can be generated by analysis of the first data breach event and derived from a bulk data file collection stored on or associated with a first enterprise IT network of interest for monitoring for an occurrence of data breach events; the first data file collection can comprise at least some of structured, unstructured, and semi-structured data file types; and at least some of the first data file collection can comprise protected information having compliance-related activities associated therewith. The method further comprises generating, by the at least one computer, information associated with presence or absence of protected information elements of all or part of the first data file collection and, if the generated information indicates that a data file in the first data file collection includes the protected information elements, incorporating that data file in a second data file collection; analyzing, by at least one human reviewer, a subset of individual data files selected from the second data file collection to validate that each data file in the subset of individual data files comprises one or more of the protected information elements; and incorporating, by the at least one computer, the information associated with the analysis of the subset of individual data files into machine learning information configured for subsequent analysis of either or both of the first and second data file collections. If it is determined that the one or more protected information elements are not present in a data file, that data file can be removed, by the at least one human reviewer, from the second data file collection and re-incorporating that data file into the first data file collection; or if it is determined that the one or more protected information elements are present in a data file: at least one entity identification can be derived, by either or both of the at least one human reviewer or the at least one computer, for an entity associated with each of the one or more protected information elements in that data file, wherein the entity comprises an individual, a group of individuals, an organization, or a company; and information associated with each of the one or more protected information elements and the associated entity can be generated by either or both of the at least one human reviewer or the at least one computer.

“In various aspects, the unstructured data file type in the first data file collection can comprise image files. The method can further comprise selecting, by the at least one computer, a subset of image files from either or both of the first and second data file collections; configuring, by the at least one computer, the subset of image files for display and selection on a user device associated with the at least one human reviewer; displaying, by the at least one computer, a plurality of the image files from the subset of image files on the user device; selecting, by the at least one human reviewer, a displayed image when the at least one human reviewer identifies that the displayed image is associated with the one or more protected information elements; and recording, by the at least one computer, information associated with the at least one human reviewer’s selection of the displayed image, thereby providing identification information for the presence or absence of the one or more protected information elements in at least some image files in the subset of image files selected from either or both of the first and second data file collections. The method can further comprise incorporating, by the at least one computer, the identification information into machine learning training information; and analyzing, by the at least one computer, image files in the first and second data file collections for the presence of the one or more protected information elements.

“In one or more aspects, the method can further comprise identifying, by the at least one computer, some or all of the one or more protected information elements and the at least one entity identification in the image files; and extracting, by the at least one computer, the identified protected information elements and the at least one entity identification from the image files for incorporation in a database. The method can further comprise recording, by the at least one computer, information associated with the analysis by the at least one human reviewer of each of the subset of individual data files in the second collection of data files; and incorporating, by the at least one computer, the at least one human reviewer’s analysis information as training information for use in subsequent analysis of one or more of: data files in the first data file collection; data files in the second data file collection that are not included in the subset of individual data files; data files in the subset of individual data files that have not yet been reviewed by the at least one human reviewer; a third data file collection derived from a bulk data file collection stored on or associated with the first enterprise IT network, wherein the third data file collection is generated after a second data breach event associated with the first enterprise IT network; or a fourth data file collection derived from a bulk data file collection stored on or associated with a second enterprise IT network that is different from the first enterprise IT network, wherein the fourth data file collection is generated after a data breach event occurring on the second enterprise IT network.

“In some aspects, the method can further comprise determining, by the at least one computer, whether one or more second collection data files of the second data file collection are associated with the at least one identified entity and, if other second collection data files are associated with that identified entity, generating linkages between the entity-associated files, thereby providing a linked data file collection linked with one or more entity identifications having the one or more protected information elements associated therewith. Each of the second data file collection can be arranged for display and selection on a display device associated with the at least one human reviewer as one or more of: a plurality of defined categories of the protected information elements; a count of data files comprising the protected information elements; and a count of data file categories comprising the protected information elements. The method can further comprise displaying, by the at least one computer, text summaries extracted from a data file in the second data file collection on a device display of the at least one human reviewer; selecting, by the at least one human reviewer, some or all of the highlighted protected information elements and entity identifications, thereby providing human reviewer validation of the protected information elements and entity identifications in the data file; and adding, by the at least one computer, the selected protected information elements and entity identifications to the database. The displayed text summaries can comprise each of a protected information element and an entity identification in the data file; the text summaries can each be provided on the display with highlighting generated by the at least one computer; and the text summaries can be configured to allow the at least one human reviewer to select all or part of each of the protected information element and entity identification.

“In various aspects, when the second data file collection is identified by either or both of the at least one human reviewer or the at least one computer as comprising a plurality of protected information elements associated with one or more entity identifications, each of the plurality of protected information elements can be linked to each of the one more entity identifications. The second data file collection can comprise an unstructured data file and the plurality of protected information data elements associated with the one or more entity identifications are included as tabular data in the unstructured data file. The identification of protected information in the first data file collection can be associated with a generated confidence level. When a determination that a data file in the first data file collection meets or exceeds the generated confidence level, that data file can be included in the second data file collection. The compliance-related activities can be defined by one or more of laws, regulations, policies, procedures, and contractual obligations associated with the protected information. The compliance-related activities can comprise one or more of: notifying, by the at least one computer or by a manager of the first enterprise IT network, each identified entity of the protected information associated with that entity that was involved with the first data breach event; and notifying, by the at least one computer or the first enterprise IT network manager, a regulatory authority of the first network breach event and providing the regulatory authority with information associated with the identified entities having the protected information involved in the first data breach event.”

There is additional summary information. Please visit full patent to read further.”

The claims supplied by the inventors are:

“1. A method of identifying protected information elements associated with unique entities in data file collections comprising: receiving, by at least one computing device, a data file collection comprising a plurality of data files stored on or associated with an enterprise IT network, the plurality of data files comprising a combination of structured, unstructured, and semi-structured file types; analyzing, by the at least one computing device, the plurality of data files to identify a presence of one or more protected information elements associated with one or more unique entities having one or more entity identifications; generating, by the at least one computing device, information about the data file collection, the information associated with the one or more protected information elements; and configuring, by the at least one computing device, the generated information about the data file collection for use in a user notification, a report, a dashboard, or machine learning information for use in evaluating additional data file collections.”

For more information, see this patent application: NICKL, Ralph; SEARS, Oran. Systems And Methods For Identification And Management Of Compliance-Related Information Associated With Enterprise It Networks. U.S. Patent Application Number 20230162060, filed January 9, 2023 and posted May 25, 2023. Patent URL (for desktop use only): https://ppubs.uspto.gov/pubwebapp/external.html?q=(20230162060)&db=US-PGPUB&type=ids

(Our reports deliver fact-based news of research and discoveries from around the world.)