Patent Issued for Data processing and scanning systems for assessing vendor risk (USPTO 11366909): OneTrust LLC

2022 JUL 13 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- According to news reporting originating from Alexandria, Virginia, by NewsRx journalists, a patent by the inventors Brannon, Jonathan Blake (Smyrna, GA, US), filed on June 8, 2021, was published online on June 21, 2022.

The assignee for this patent, patent number 11366909, is OneTrust LLC (Atlanta, Georgia, United States).

Reporters obtained the following quote from the background information supplied by the inventors: “Over the past years, privacy and security policies, and related operations have become increasingly important. Breaches in security, leading to the unauthorized access of personal data (which may include sensitive personal data) have become more frequent among companies and other organizations of all sizes. Such personal data may include, but is not limited to, personally identifiable information (PII), which may be information that directly (or indirectly) identifies an individual or entity. Examples of PII include names, addresses, dates of birth, social security numbers, and biometric identifiers such as a person’s fingerprints or picture. Other personal data may include, for example, customers’ Internet browsing habits, purchase history, or even their preferences (e.g., likes and dislikes, as provided or obtained through social media).

“Many organizations that obtain, use, and transfer personal data, including sensitive personal data, have begun to address these privacy and security issues. To manage personal data, many companies have attempted to implement operational policies and processes that comply with legal requirements, such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or the U.S.’s Health Insurance Portability and Accountability Act (HIPPA) protecting a patient’s medical information. Many regulators recommend conducting privacy impact assessments, or data protection risk assessments along with data inventory mapping. For example, the GDPR requires data protection impact assessments. Additionally, the United Kingdom ICO’s office provides guidance around privacy impact assessments. The OPC in Canada recommends certain personal information inventory practices, and the Singapore PDPA specifically mentions personal data inventory mapping.

“Many organizations have also begun to track the compliance of their vendors with privacy laws, regulations, and/or standards. This can be expensive and time consuming using traditional methods. Accordingly, there is a need for improved systems and methods for efficiently tracking the compliance of vendors with privacy laws, regulations, and/or standards, and for assessing the risk associated with doing business with a particular vendor.”

In addition to obtaining background information on this patent, NewsRx editors also obtained the inventors’ summary information for this patent: “A method according to various embodiments, may include: executing, by computing hardware, a download of a software application from a computer system associated with a vendor; identifying, by the computing hardware and based on the download of the software application, a plurality of vendor attributes, wherein the plurality of vendor attributes comprises a privacy disclaimer associated with the software application; determining, by the computing hardware, factors for the plurality of vendor attributes, wherein determining the factors for the plurality of vendor attributes comprises determining a privacy disclaimer factor for the privacy disclaimer by: analyzing the privacy disclaimer to determine whether the privacy disclaimer comprises language associated with at least one of a legal requirement or an industry requirement; and determining the privacy disclaimer factor based on whether the privacy disclaimer comprises the language associated with the at least one of the legal requirement or the industry requirement; determining, by the computing hardware, a vendor risk rating based on the factors for the plurality of vendor attributes; generating, by the computing hardware and based on the vendor risk rating, a graphical user interface by configuring a navigation element on the graphical user interface and excluding a display element from the graphical user interface, wherein: the navigation element is configured for initiating a responsive action based on the vendor risk rating, and the display element is configured for presenting the vendor risk rating; transmitting, by the computing hardware, an instruction to a user device to present the graphical user interface on the user device; detecting, by the computing hardware, selection of the navigation element; and responsive to detecting the selection of the navigation element, initiating, by the computing hardware, the responsive action.

“In particular embodiments, the responsive action comprises: generating a second graphical user interface comprising an indication of the vendor risk rating and transmitting a second instruction to a third-party computing device to present the second graphical user interface on the third-party computing device. In particular embodiments, the second graphical user interface further comprises an indication of the software application. In particular embodiments, the responsive action comprises: generating an electronic communication comprising an indication of the vendor risk rating and transmitting the electronic communication to a third-party computing device. In particular embodiments, the factors for the plurality of vendor attributes comprise a security certification factor; and the method further comprises: analyzing computer code associated with the vendor to identify an indication of a security certification associated with the vendor; and determining the security certification factor based on the security certification. In particular embodiments, the factors for the plurality of vendor attributes comprise a security certification factor; and the method further comprises: scanning a website associated with the vendor to identify an image associated with a security certification associated with the vendor; and determining the security certification factor based on the security certification. In particular embodiments, determining the security certification factor based on the security certification comprises: accessing a database of security certifications to determine whether the vendor holds the security certification; and determining the security certification factor based on whether the vendor holds the security certification.

“A system, according to various embodiments, may include: a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer-readable medium, wherein the processing device is configured to execute the instructions and thereby perform operations comprising: downloading a software application from a computer system associated with a vendor; identifying a privacy disclaimer associated with the software application; determining a privacy disclaimer factor for the privacy disclaimer based on whether the privacy disclaimer comprises language associated with at least one of a legal requirement or an industry requirement; determining a vendor risk rating based on the privacy disclaimer factor; determining that the vendor risk rating meets a threshold risk rating; generating a graphical user interface based on determining that the vendor risk rating meets the threshold risk rating by configuring a first navigation element on the graphical user interface and excluding a second navigation element from the graphical user interface, wherein: the first navigation element is configured for initiating a responsive action based on the vendor risk rating meeting the threshold risk rating, and the second navigation element is configured for navigating to a display element that presents an indication that the vendor risk rating does not meet the threshold risk rating; transmitting an instruction to a user device to present the graphical user interface on the user device; detecting a selection of the first navigation element; and responsive to detecting the selection of the first navigation element, initiating the responsive action.

“In particular embodiments, identifying the privacy disclaimer associated with the software application comprises identifying the privacy disclaimer on a webpage provided by the vendor for downloading the software application. In particular embodiments, the vendor risk rating is further based on a public information factor; and the method further comprises determining the public information factor based on public information associated with the vendor. In particular embodiments, the public information comprises social networking website content. In particular embodiments, the public information comprises at least one of an employee title, an employee role, or an available job post. In particular embodiments, the public information comprises an indication of a contract between the vendor and a government entity. In particular embodiments, the vendor risk rating is further based on a third-party processor factor; and the method further comprises determining the third-party processor factor based on a webpage provided by the vendor for downloading the software application.

“A non-transitory computer-readable medium according to various embodiments, may store computer-executable instructions that, when executed by processing hardware, configure the processing hardware to perform operations comprising: downloading a software application from a computer system associated with a vendor; identifying a privacy disclaimer associated with the software application; determining a privacy disclaimer factor for the privacy disclaimer based on whether the privacy disclaimer comprises language associated with at least one of a legal requirement or an industry requirement; determining a vendor risk rating based on the privacy disclaimer factor; generating a graphical user interface based on determining that the vendor risk rating does not meet a threshold risk rating by configuring a first navigation element on the graphical user interface and excluding a second navigation element from the graphical user interface, wherein: the first navigation element is configured for initiating a responsive action based on the vendor risk rating not meeting the threshold risk rating, and the second navigation element is configured for initiating a second responsive action based on the vendor risk rating meeting the threshold risk rating; transmitting an instruction to a user device to present the graphical user interface on the user device; detecting a selection of the first navigation element; and responsive to detecting the selection of the first navigation element, initiating the first responsive action.”

The claims supplied by the inventors are:

“1. A method comprising: scanning, by computing hardware, a webpage associated with a vendor to identify a security certification, wherein the security certification is associated with a certifying authority and indicates that the vendor is in compliance with security certification requirements of the certifying authority; calculating, by the computing hardware, a vendor risk rating based on the security certification; generating, by the computing hardware and based on the vendor risk rating, a graphical user interface comprising a menu for managing a computerized workflow related to the vendor, the menu comprising a navigation element and a display element from the graphical user interface, wherein: the navigation element is configured for initiating a responsive action based on the vendor risk rating, and the display element is configured for presenting the vendor risk rating; transmitting, by the computing hardware, an instruction to a user computing device to present the graphical user interface on the user computing device; detecting, by the computing hardware, selection of the navigation element; and responsive to detecting the selection of the navigation element, initiating, by the computing hardware, the responsive action.

“2. The method of claim 1, wherein scanning the webpage comprises scanning the webpage for content indicating receipt of the security certification by the vendor.

“3. The method of claim 1, wherein scanning the webpage comprises scanning the webpage for an image indicating receipt of the security certification by the vendor.

“4. The method of claim 1, wherein scanning the webpage comprises scanning computer code associated with the webpage to identify an indication of the security certification.

“5. The method of claim 1, wherein the responsive action comprises: generating a second graphical user interface comprising an indication of the vendor risk rating, and transmitting a second instruction to a third-party computing device to present the second graphical user interface on the third-party computing device.

“6. The method of claim 1, wherein the responsive action comprises: generating an electronic communication comprising an indication of the vendor risk rating, and transmitting the electronic communication to a third-party computing device.

“7. A system comprising: a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer-readable medium, wherein the processing device is configured to execute the instructions and thereby perform operations comprising: scanning a webpage associated with a vendor to identify a security certification, wherein the security certification is associated with a certifying authority and indicates that the vendor is in compliance with security certification requirements of the certifying authority; determining a vendor risk rating based on the security certification; determining that the vendor risk rating meets a threshold risk rating; generating, by the computing hardware and based on the vendor risk rating, a graphical user interface comprising a menu for managing a computerized workflow related to the vendor, the menu comprising a navigation element and a display element from the graphical user interface, wherein: the navigation element is configured for initiating a responsive action based on the vendor risk rating, and the display element is configured for presenting the vendor risk rating; transmitting an instruction to a user computing device to present the graphical user interface on the user device; detecting a selection of the first navigation element; and responsive to detecting the selection of the first navigation element, initiating the responsive action.

“8. The system of claim 7, wherein scanning the webpage comprises at least one of scanning the webpage for content indicating receipt of the security certification by the vendor, scanning the webpage for an image indicating receipt of the security certification by the vendor, or scanning computer code associated with the webpage to identify an indication of the security certification.

“9. The system of claim 7, wherein the responsive action comprises: generating a second graphical user interface comprising an indication of the vendor risk rating, and transmitting a second instruction to a third-party computing device to present the second graphical user interface on the third-party computing device.

“10. The system of claim 7, wherein the responsive action comprises: generating an electronic communication comprising an indication of the vendor risk rating, and transmitting the electronic communication to a third-party computing device.

“11. The system of claim 7, wherein the operations further comprise: determining a public information factor based on public information associated with the vendor and the vendor risk rating is further based on the public information factor.

“12. The system of claim 7, wherein the operations further comprise: determining a presence of a suitable privacy notice on the website, and the vendor risk rating is further based on the presence of the suitable privacy notice.

“13. The system of claim 7, wherein the operations further comprise: determining a presence of a control center on the website that enables a visitor to the website to allow collection of certain data, and the vendor risk rating is further based on the presence of the control center.

“14. A non-transitory computer-readable medium storing computer-executable instructions that, when executed by processing hardware, causes the processing hardware to perform operations comprising: scanning a webpage associated with a vendor to identify a security certification, wherein the security certification is associated with a certifying authority and indicates that the vendor is in compliance with security certification requirements of the certifying authority; accessing a database of security certifications to determine that the vendor actually holds the security certification; determining a vendor risk rating based on the security certification; generating, by the computing hardware and based on the vendor risk rating, a graphical user interface comprising a menu for managing a computerized workflow related to the vendor, the menu comprising a navigation element and a display element from the graphical user interface, wherein: the navigation element is configured for initiating a responsive action based on the vendor risk rating, and the display element is configured for presenting the vendor risk rating; detecting a selection of the first navigation element; and responsive to detecting the selection of the first navigation element, initiating the first responsive action.

“15. The non-transitory computer-readable medium of claim 14, wherein the first responsive action comprises transferring the vendor risk rating to a current or potential customer of the vendor for use in assessing a risk of doing business with the vendor.

“16. The non-transitory computer-readable medium of claim 14, wherein the second responsive action comprises navigating to a display element that presents an indication that the vendor risk rating does meet the threshold risk rating.

“17. The non-transitory computer-readable medium of claim 14, wherein the second responsive action comprises: generating an electronic communication comprising an indication of the vendor risk rating does meet the threshold risk rating, and transmitting the electronic communication to a third-party computing device.

“18. The non-transitory computer-readable medium of claim 14, wherein scanning the webpage comprises at least one of scanning the webpage for content indicating receipt of the security certification by the vendor, scanning the webpage for an image indicating receipt of the security certification by the vendor, or scanning computer code associated with the webpage to identify an indication of the security certification.

“19. The non-transitory computer-readable medium of claim 14, wherein the operations further comprise: determining a presence of a suitable privacy notice on the website, and the vendor risk rating is further based on the presence of the suitable privacy notice.

“20. The non-transitory computer-readable medium of claim 14, wherein the operations further comprise: determining a presence of a control center on the website that enables a visitor to the website to allow collection of certain data, and the vendor risk rating is further based on the presence of the control center.”

For more information, see this patent: Brannon, Jonathan Blake. Data processing and scanning systems for assessing vendor risk. U.S. Patent Number 11366909, filed June 8, 2021, and published online on June 21, 2022. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=11366909.PN.&OS=PN/11366909RS=PN/11366909

(Our reports deliver fact-based news of research and discoveries from around the world.)