Patent Issued for Data processing and scanning systems for assessing vendor risk (USPTO 11157600): OneTrust LLC

2021 NOV 11 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- OneTrust LLC (Atlanta, Georgia, United States) has been issued patent number 11157600, according to news reporting originating out of Alexandria, Virginia, by NewsRx editors.

The patent’s inventors are Barday, Kabir A. (Atlanta, GA, US), Brannon, Jonathan Blake (Smyrna, GA, US), Jones, Kevin (Atlanta, GA, US), Sabourin, Jason L. (Brookhaven, GA, US), Shah, Milap (Bangalore, IN), Viswanathan, Subramanian (Marietta, GA, US).

This patent was filed on April 30, 2020 and was published online on October 26, 2021.

From the background information supplied by the inventors, news correspondents obtained the following quote: “Over the past years, privacy and security policies, and related operations have become increasingly important. Breaches in security, leading to the unauthorized access of personal data (which may include sensitive personal data) have become more frequent among companies and other organizations of all sizes. Such personal data may include, but is not limited to, personally identifiable information (PII), which may be information that directly (or indirectly) identifies an individual or entity. Examples of PII include names, addresses, dates of birth, social security numbers, and biometric identifiers such as a person’s fingerprints or picture. Other personal data may include, for example, customers’ Internet browsing habits, purchase history, or even their preferences (e.g., likes and dislikes, as provided or obtained through social media).

“Many organizations that obtain, use, and transfer personal data, including sensitive personal data, have begun to address these privacy and security issues. To manage personal data, many companies have attempted to implement operational policies and processes that comply with legal requirements, such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or the U.S.’s Health Insurance Portability and Accountability Act (HIPPA) protecting a patient’s medical information. Many regulators recommend conducting privacy impact assessments, or data protection risk assessments along with data inventory mapping. For example, the GDPR requires data protection impact assessments. Additionally, the United Kingdom ICO’s office provides guidance around privacy impact assessments. The OPC in Canada recommends certain personal information inventory practices, and the Singapore PDPA specifically mentions personal data inventory mapping.

“In implementing these privacy impact assessments, an individual may provide incomplete or incorrect information regarding personal data to be collected, for example, by new software, a new device, or a new business effort, for example, to avoid being prevented from collecting that personal data, or to avoid being subject to more frequent or more detailed privacy audits. In light of the above, there is currently a need for improved systems and methods for monitoring compliance with corporate privacy policies and applicable privacy laws in order to reduce a likelihood that an individual will successfully “game the system” by providing incomplete or incorrect information regarding current or future uses of personal data.

“Organizations that obtain, use, and transfer personal data often work with other organizations (“vendors”) that provide services and/or products to the organizations. Organizations working with vendors may be responsible for ensuring that any personal data to which their vendors may have access is handled properly. However, organizations may have limited control over vendors and limited insight into their internal policies and procedures. Therefore, there is currently a need for improved systems and methods that help organizations ensure that their vendors handle personal data properly.”

Supplementing the background information on this patent, NewsRx reporters also obtained the inventors’ summary information for this patent: “A computer-implemented data processing method for monitoring one or more system inputs as input of information related to a privacy campaign, according to various embodiments, comprises: (A) actively monitoring, by one or more processors, one or more system inputs from a user as the user provides information related to a privacy campaign, the one or more system inputs comprising one or more submitted inputs and one or more unsubmitted inputs, wherein actively monitoring the one or more system inputs comprises: (1) recording a first keyboard entry provided within a graphical user interface that occurs prior to submission of the one or more system inputs by the user, and (2) recording a second keyboard entry provided within the graphical user interface that occurs after the user inputs the first keyboard entry and before the user submits the one or more system inputs; (B) storing, in computer memory, by one or more processors, an electronic record of the one or more system inputs; (C) analyzing, by one or more processors, the one or more submitted inputs and one or more unsubmitted inputs to determine one or more changes to the one or more system inputs prior to submission, by the user, of the one or more system inputs, wherein analyzing the one or more submitted inputs and the one or more unsubmitted inputs to determine the one or more changes to the one or more system inputs comprises comparing the first keyboard entry with the second keyboard entry to determine one or more differences between the one or more submitted inputs and the one or more unsubmitted inputs, wherein the first keyboard entry is an unsubmitted input and the second keyboard entry is a submitted input; (D) determining, by one or more processors, based at least in part on the one or more system inputs and the one or more changes to the one or more system inputs, whether the user has provided one or more system inputs comprising one or more abnormal inputs; and (E) at least partially in response to determining that the user has provided one or more abnormal inputs, automatically flagging the one or more system inputs that comprise the one or more abnormal inputs in memory.

“A computer-implemented data processing method for monitoring a user as the user provides one or more system inputs as input of information related to a privacy campaign, in various embodiments, comprises: (A) actively monitoring, by one or more processors, (i) a user context of the user as the user provides the one or more system inputs as information related to the privacy campaign and (ii) one or more system inputs from the user, the one or more system inputs comprising one or more submitted inputs and one or more unsubmitted inputs, wherein actively monitoring the user context and the one or more system inputs comprises recording a first user input provided within a graphical user interface that occurs prior to submission of the one or more system inputs by the user, and recording a second user input provided within the graphical user interface that occurs after the user inputs the first user input and before the user submits the one or more system input; (B) storing, in computer memory, by one or more processors, an electronic record of user context of the user and the one or more system inputs from the user; (C) analyzing, by one or more processors, at least one item of information selected from a group consisting of (i) the user context and (ii) the one or more system inputs from the user to determine whether abnormal user behavior occurred in providing the one or more system inputs, wherein determining whether the abnormal user behavior occurred in providing the one or more system inputs comprises comparing the first user input with the second user input to determine one or more differences between the one or more submitted inputs and the one or more unsubmitted inputs, wherein the first user input is an unsubmitted input and the second user input is a submitted input; and (D) at least partially in response to determining that abnormal user behavior occurred in providing the one or more system inputs, automatically flagging, in memory, at least a portion of the provided one or more system inputs in which the abnormal user behavior occurred.

“A computer-implemented data processing method for monitoring a user as the user provides one or more system inputs as input of information related to a privacy campaign, in various embodiments, comprises: (A) actively monitoring, by one or more processors, a user context of the user as the user provides the one or more system inputs, the one or more system inputs comprising one or more submitted inputs and one or more unsubmitted inputs, wherein actively monitoring the user context of the user as the user provides the one more system inputs comprises recording a first user input provided within a graphical user interface that occurs prior to submission of the one or more system inputs by the user, and recording a second user input provided within the graphical user interface that occurs after the user provides the first user input and before the user submits the one or more system inputs, wherein the user context comprises at least one user factor selected from a group consisting of: (i) an amount of time the user takes to provide the one or more system inputs, (ii) a deadline associated with providing the one or more system inputs, (iii) a location of the user as the user provides the one or more system inputs; and (iv) one or more electronic activities associated with an electronic device on which the user is providing the one or more system inputs; (B) storing, in computer memory, by one or more processors, an electronic record of the user context of the user; (C) analyzing, by one or more processors, the user context, based at least in part on the at least one user factor, to determine whether abnormal user behavior occurred in providing the one or more system inputs, wherein determining whether the abnormal user behavior occurred in providing the one or more system inputs comprises comparing the first user input with the second user input to determine one or more differences between the first user input and the second user input, wherein the first user input is an unsubmitted input and the second user input is a submitted input; and (D) at least partially in response to determining that abnormal user behavior occurred in providing the one or more system inputs, automatically flagging, in memory, at least a portion of the provided one or more system inputs in which the abnormal user behavior occurred.

“A computer-implemented data processing method for scanning one or more webpages to determine vendor risk, in various embodiments, comprises: (A) scanning, by one or more processors, one or more webpages associated with a vendor; (B) identifying, by one or more processors, one or more vendor attributes based on the scan; (C) calculating a vendor risk score based at least in part on the one or more vendor attributes; and (D) taking one or more automated actions based on the vendor risk rating.

“A computer-implemented data processing method for generating an incident notification for a vendor, according to particular embodiments, comprises: receiving, by one or more processors, an indication of a particular incident; determining, by one or more processors based on the indication of the particular incident, one or more attributes of the particular incident; determining, by one or more processors based on the one or more attributes of the particular incident, a vendor associated with the particular incident; determining, by one or more processors based on the vendor associated with the particular incident, a notification obligation for the vendor associated with the particular incident; generating, by one or more processors in response to determining the notification obligation, a task associated with satisfying the notification obligation; presenting, by one or more processors on a graphical user interface, an indication of the task associated with satisfying the notification obligation; detecting, by one or more processors on a graphical user interface, a selection of the indication of the task associated with satisfying the notification obligation; and presenting, by one or more processors on a graphical user interface, detailed information associated with the task associated with satisfying the notification obligation.”

The claims supplied by the inventors are:

“1. A computer-implemented method for assessing privacy-related risk associated with a handling of personal data by a particular vendor, the method comprising: receiving, by one or more computer processors, one or more pieces of vendor information associated with the handling of the personal data by the particular vendor; obtaining, by the one or more computer processors, based on the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor, information on one or more webpages for a website associated with the particular vendor, wherein the one or more webpages are configured for collecting the personal data of visitors to the website; analyzing, by the one or more computer processors, the information on the one or more webpages to determine that the one or more webpages does not provide a privacy control center configured to enable the visitors to allow or disallow collecting of the personal data of the visitors; assigning, by the one or more computer processors and based on determining that the one or more webpages does not provide the privacy control center, a particular weighting to a privacy control center risk factor associated with the particular vendor; determining, by the one or more computer processors: (i) a plurality of risk factors based at least part on the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor; and (ii) a respective weighting for each risk factor of the plurality of risk factors, wherein the respective weighting for the risk factor is based at least in part on a relative importance of the risk factor with respect to the other risk factors of the plurality of risk factors and the privacy control center risk factor; generating, by the one or more computer processors, a privacy risk score that represents a risk of at least one of the particular vendor not being in compliance with at least one data privacy standard related to the handling of the personal data by the particular vendor or the particular vendor experiencing a breach of the personal data, the privacy risk score generated based on: (a) the plurality of risk factors; (b) the respective weighting for each of the plurality of risk factors; © the privacy control center risk factor; and (d) the particular weighting for the privacy control center risk factor; providing, by the one or more computer processors, for display on a graphical user interface, the privacy risk score for the particular vendor.

“2. The computer-implemented method of claim 1, wherein determining the plurality of other risk factors comprises: obtaining, by the one or more computer processors, based at least in part on the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor, one or more pieces of computer code associated with the one or more webpages; analyzing, by the one or more computer processors, the one or more pieces of computer code to determine whether the one or more pieces of computer code comprise an indication of a particular security certification; and at least one other risk factor of the plurality of other risk factors is based at least in part on the indication of the particular security certification.

“3. The computer-implemented method of claim 2, wherein the particular security certification is selected from a group consisting of: (a) a system and organization controls (SOC) certification; (b) an International Organization for Standardization (ISO) certification; © a Health Insurance Portability and Accountability ACT (HIPAA) certification; and (d) a Privacy Shield certification.

“4. The computer-implemented method of claim 1, wherein the one or more pieces of vendor information comprises one or more pieces of information associated with a social networking site.

“5. The computer-implemented method of claim 1, wherein the website is operated by the particular vendor.

“6. The computer-implemented method of claim 1, wherein the website is operated by a third-party that is not the particular vendor.

“7. The computer-implemented method of claim 1, wherein the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor comprise particular terms obtained from one or more documents, and the method further comprises analyzing, by the one or more computer processors, the one or more documents using one or more natural language processing techniques to identify the particular terms in the one or more documents.

“8. A vendor risk assessment system for assessing privacy-related risk associated with a handling of personal data by a particular vendor, the system comprising: one or more computer processors; and computer memory including computer-executable instructions configured to, when executed by the one or more computer processors, cause the system to at least: retrieve one or more pieces of vendor information associated with the handling of the personal data by the particular vendor; obtain, based the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor, information on one or more webpages of a website associated with the particular vendor, wherein the one or more webpages are configured for collecting the personal data of visitors to the website; analyze the information on the one or more webpages to determine that the one or more webpages does not provide a privacy control center configured to enable the visitors to allow or disallow collecting of the personal data of the visitors; assign, based on determining that the one or more webpages does not provide the privacy control center, a particular weighting to a privacy control center risk factor associated with the particular vendor; determine that each of the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor is currently valid; based on each of the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor being currently valid: determine a plurality of risk factors based at least part on the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor and a respective weighting for each risk factor of the plurality of risk factors, wherein the respective weighting for the risk factor is based at least in part on a relative importance of the risk factor with respect to other risk factors of the plurality of risk factors and the privacy control center risk factor; generate a vendor risk rating for the particular vendor that represents a risk of at least one of the particular vendor not being in compliance with at least one data privacy standard related to the handling of the personal data by the particular vendor or the particular vendor experiencing a breach of the personal data, the vendor risk rating generated based on the plurality of risk factors, the privacy control center risk factor, the respective weighting for each of the plurality of risk factors, and the particular weighting for the privacy control center risk factor; and provide the privacy risk rating for the particular vendor for display on a graphical user interface; and based on any of the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor not being currently valid: request updated information corresponding to each of the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor that is not currently valid.

“9. The vendor risk assessment system of claim 8, wherein the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor comprise one or more privacy disclaimers displayed on at least one of the one or more webpages associated with the particular vendor.

“10. The vendor risk assessment system of claim 8, wherein the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor comprise one or more privacy-related employee positions associated with the particular vendor.

“11. The vendor risk assessment system of claim 8, wherein the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor comprise one or more privacy-related events attended by one or more representatives of the particular vendor.

“12. The vendor risk assessment system of claim 8, wherein: the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor comprise one or more contractual obligations obtained from one or more documents; and the computer-executable instructions are configured to, when executed by the one or more computer processors, cause the system to at least retrieve the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor by: retrieving the one or more documents; and analyzing the one or more documents using one or more natural language processing techniques to identify the one or more contractual obligations in the one or more documents.

“13. The vendor risk assessment system of claim 8, wherein the computer-executable instructions are configured to, when executed by the one or more computer processors, cause the system to at least determine whether each of the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor is currently valid by determining whether a respective expiration date associated with each of the one or more pieces of vendor information associated with the handling of the personal data by the particular vendor has expired.”

There are additional claims. Please visit full patent to read further.

For the URL and additional information on this patent, see: Barday, Kabir A. Data processing and scanning systems for assessing vendor risk. U.S. Patent Number 11157600, filed April 30, 2020, and published online on October 26, 2021. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=11157600.PN.&OS=PN/11157600RS=PN/11157600

(Our reports deliver fact-based news of research and discoveries from around the world.)