Patent Issued for Data processing and scanning systems for assessing vendor risk (USPTO 11416589): OneTrust LLC

2022 SEP 06 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- From Alexandria, Virginia, NewsRx journalists report that a patent by the inventors Barday, Kabir A. (Atlanta, GA, US), Brannon, Jonathan Blake (Smyrna, GA, US), Jones, Kevin (Atlanta, GA, US), Sabourin, Jason L. (Brookhaven, GA, US), Shah, Milap (Bengaluru, IN), Viswanathan, Subramanian (Marietta, GA, US), filed on October 4, 2021, was published online on August 16, 2022.

The patent’s assignee for patent number 11416589 is OneTrust LLC (Atlanta, Georgia, United States).

News editors obtained the following quote from the background information supplied by the inventors: “Over the past years, privacy and security policies, and related operations have become increasingly important. Breaches in security, leading to the unauthorized access of personal data (which may include sensitive personal data) have become more frequent among companies and other organizations of all sizes. Such personal data may include, but is not limited to, personally identifiable information (PII), which may be information that directly (or indirectly) identifies an individual or entity. Examples of PII include names, addresses, dates of birth, social security numbers, and biometric identifiers such as a person’s fingerprints or picture. Other personal data may include, for example, customers’ Internet browsing habits, purchase history, or even their preferences (e.g., likes and dislikes, as provided or obtained through social media).

“Many organizations that obtain, use, and transfer personal data, including sensitive personal data, have begun to address these privacy and security issues. To manage personal data, many companies have attempted to implement operational policies and processes that comply with legal requirements, such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or the U.S.’s Health Insurance Portability and Accountability Act (HIPPA) protecting a patient’s medical information. Many regulators recommend conducting privacy impact assessments, or data protection risk assessments along with data inventory mapping. For example, the GDPR requires data protection impact assessments. Additionally, the United Kingdom ICO’s office provides guidance around privacy impact assessments. The OPC in Canada recommends certain personal information inventory practices, and the Singapore PDPA specifically mentions personal data inventory mapping.

“Organizations that obtain, use, and transfer personal data often work with other organizations (“vendors”) that provide services and/or products to the organizations. Organizations working with vendors may be responsible for ensuring that any personal data to which their vendors may have access is handled properly. In addition, organizations working with vendors may have obligations to such vendors resulting from the organizations experiencing incidents involving sensitive and/or personal information (e.g., data breach) that may affect the vendors. However, organizations may have limited control over vendors and limited insight into their internal policies and procedures. In addition, many organizations may be involved with a large number of vendors, making it different for the organizations to identify what obligations to vendors are applicable when the organizations experience incidents involving sensitive and/or personal information. Therefore, there is currently a need for improved systems and methods that help organizations ensure that their vendors handle personal data properly, as well as meeting obligations with respect to multiple vendors when the organizations experience incidents involving sensitive and/or personal information that may affect the vendors.”

As a supplement to the background information on this patent, NewsRx correspondents also obtained the inventors’ summary information for this patent: “The details of one or more embodiments of the subject matter described in this specification are set forth in the accompanying drawings and the description below. Other features, aspects, and advantages of the subject matter may become apparent from the description, the drawings, and the claims.

“A method, according to particular aspects, comprises: (1) receiving, by computer hardware, an indication of a data incident involving a breach of a first data asset used for at least one of collecting, processing, storing, or transferring data; (2) identifying, by the computer hardware, a data model based on the first data asset, wherein the data model (i) represents the first data asset and a second data asset used for at least one of collecting, processing, storing, or transferring the data, (ii) identifies a flow of the data between the first data asset and the second data asset, and (iii) identifies a vendor attribute for the second data asset; (3) determining, by the computer hardware, a vendor based on the vendor attribute, wherein the vendor attribute identifies the vendor at least one of controls or communicates with the second data asset to at least one of collect, process, store, or transfer the data; (4) determining, by the computer hardware, a notification obligation for the vendor; (5) identifying, by the computer hardware, a task associated with satisfying the notification obligation; (6) generating, by the computer hardware, a first graphical user interface based on the task, wherein the first graphical user interface is displayed on a user computing device to a user and provides the task as selectable by the user; (7) receiving an indication of a first type of selection of the task by the user on the first graphical user interface; (8) responsive to receiving the indication of the first type of selection, generating, by the computer hardware, a second graphical user interface, wherein the second graphical user interface is displayed on the user computing device to the user superimposed over a portion of the first graphical user interface and provides a description of the task; (9) receiving an indication of a second type of selection of the task by the user on the first graphical user interface; and (10) responsive to receiving the indication of the second type of selection, generating, by the computer hardware, a third graphical user interface, wherein the third graphical user interface is displayed on the user computing device to the user and provides details for performing the task.

“According to particular aspects, the first type of selection of the task comprises hovering a cursor over the task and the second type of selection of the task comprises clicking on the task. According to some aspects, the third graphical user interface comprises at least one of a reason section providing the notification obligation or a task information section providing a response received from an individual assigned to perform the task. In still other aspects, the third graphical user interface comprises an upload section configured to allow the user to upload a communication sent to the vendor in satisfying the task. In various aspects, the first graphical user interface displays the task with a status on a completion of the task and the third graphical user interface comprises a completion control and the method further comprises: (1) receiving an indication of a selection of the completion control; and (2) responsive to receiving the indication of the selection of the completion control, updating the status to reflect the completion of the task. In other aspects, the first data asset comprises at least one of a software application, a computing device, database, or a website. In particular aspects, analyzing a document defining obligations to the vendor using a language processing technique to identify particular terms in the document, and based on the particular terms, determining the notification obligation for the vendor.

“According to another aspect of the disclosure, a system is provided that comprises a non-transitory computer-readable medium storing instructions and a processing device communicatively coupled to the non-transitory computer-readable medium. In any aspect described herein, the processing device may be configured to execute the instructions and thereby perform operations comprising: (1) identifying, based on a data incident involving a first data asset used for at least one of collecting, processing, storing, or transferring data, a data model for the first data asset, wherein the data model (i) represents the first data asset and a second data asset used for at least one of collecting, processing, storing, or transferring the data, (ii) identifies a flow of the data between the first data asset and the second data asset, and (iii) identifies a vendor attribute for the second data asset; (2) determining a vendor based on the vendor attribute, wherein the vendor attribute identifies the vendor at least one of controls or communicates with the second data asset to at least one of collect, process, store, or transfer the data; (3) identifying a task associated with satisfying a notification obligation for the vendor; (4) generating a first graphical user interface based on the task, wherein the first graphical user interface is displayed on a user computing device to a user and provides the task as selectable by the user; (5) receiving an indication of a first type of selection of the task by the user on the first graphical user interface; (6) responsive to receiving the indication of the first type of selection, generating a second graphical user interface, wherein the second graphical user interface is displayed on the user computing device to the user and provides a description of the task; (7) receiving an indication of a second type of selection of the task by the user on the first graphical user interface; and (8) responsive to receiving the indication of the second type of selection, generating a third graphical user interface, wherein the third graphical user interface is displayed on the user computing device to the user and provides details for performing the task.

“In various aspects, the operations further comprise determining, based on the notification obligation, a timeframe within which the task is to be completed, and the first graphical user interface displays the task with the timeframe. According to still other aspects, the operations further comprise analyzing an attribute of the data incident to determine a risk level associated with the data incident, wherein the notification obligation for the vendor is based on the risk level associated with the data incident. In particular aspects, the operations further comprise analyzing an attributes of the data incident to determine a scope of the data incident, wherein the notification obligation for the vendor is based on the scope of the data incident. According to various aspects, the first type of selection of the task comprises hovering a cursor over the task and the second type of selection of the task comprises clicking on the task. In yet other aspects, the third graphical user interface comprises an upload section configured to allow the user to upload a communication sent to the vendor in satisfying the task. According to some aspects, the first graphical user interface displays the task with a status on a completion of the task and the third graphical user interface comprises a completion control and the operations further comprise: (1) receiving an indication of a selection of the completion control; and (2) responsive to receiving the indication of the selection of the completion control, having the status updated to reflect the completion of the task.”

The claims supplied by the inventors are:

“1. A method comprising: receiving, by computer hardware, an indication of a data incident involving a breach of a first data asset used for at least one of collecting, processing, storing, or transferring data; identifying, by the computer hardware, a data model based on the first data asset, wherein the data model (i) represents the first data asset and a second data asset used for at least one of collecting, processing, storing, or transferring the data, (ii) identifies a flow of the data between the first data asset and the second data asset, and (iii) identifies a vendor attribute for the second data asset; determining, by the computer hardware, a vendor based on the vendor attribute, wherein the vendor attribute identifies the vendor at least one of controls or communicates with the second data asset to at least one of collect, process, store, or transfer the data; determining, by the computer hardware, a notification obligation for the vendor; identifying, by the computer hardware, a task associated with satisfying the notification obligation; generating, by the computer hardware, a first graphical user interface based on the task, wherein the first graphical user interface is displayed on a user computing device to a user and provides the task as selectable by the user; receiving an indication of a first type of selection of the task by the user on the first graphical user interface; responsive to receiving the indication of the first type of selection, generating, by the computer hardware, a second graphical user interface, wherein the second graphical user interface is displayed on the user computing device to the user superimposed over a portion of the first graphical user interface and provides a description of the task; receiving an indication of a second type of selection of the task by the user on the first graphical user interface; and responsive to receiving the indication of the second type of selection, generating, by the computer hardware, a third graphical user interface, wherein the third graphical user interface is displayed on the user computing device to the user and provides details for performing the task.

“2. The method of claim 1, wherein the first type of selection of the task comprises hovering a cursor over the task and the second type of selection of the task comprises clicking on the task.

“3. The method of claim 1, wherein the third graphical user interface comprises at least one of a reason section providing the notification obligation or a task information section providing a response received from an individual assigned to perform the task.

“4. The method of claim 1, wherein the third graphical user interface comprises an upload section configured to allow the user to upload a communication sent to the vendor in satisfying the task.

“5. The method of claim 1, wherein the first graphical user interface displays the task with a status on a completion of the task and the third graphical user interface comprises a completion control and the method further comprises: receiving an indication of a selection of the completion control; and responsive to receiving the indication of the selection of the completion control, updating the status to reflect the completion of the task.

“6. The method of claim 1, wherein the first data asset comprises at least one of a software application, a computing device, database, or a website.

“7. The method of claim 1, wherein determining the notification obligation for the vendor comprises: analyzing a document defining obligations to the vendor using a language processing technique to identify particular terms in the document; and based on the particular terms, determining the notification obligation for the vendor.

“8. A system comprising: a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer-readable medium, wherein, the processing device is configured to execute the instructions and thereby perform operations comprising: identifying, based on a data incident involving a first data asset used for at least one of collecting, processing, storing, or transferring data, a data model for the first data asset, wherein the data model (i) represents the first data asset and a second data asset used for at least one of collecting, processing, storing, or transferring the data, (ii) identifies a flow of the data between the first data asset and the second data asset, and (iii) identifies a vendor attribute for the second data asset; determining a vendor based on the vendor attribute, wherein the vendor attribute identifies the vendor at least one of controls or communicates with the second data asset to at least one of collect, process, store, or transfer the data; identifying a task associated with satisfying a notification obligation for the vendor; generating a first graphical user interface based on the task, wherein the first graphical user interface is displayed on a user computing device to a user and provides the task as selectable by the user; receiving an indication of a first type of selection of the task by the user on the first graphical user interface; responsive to receiving the indication of the first type of selection, generating a second graphical user interface, wherein the second graphical user interface is displayed on the user computing device to the user and provides a description of the task; receiving an indication of a second type of selection of the task by the user on the first graphical user interface; and responsive to receiving the indication of the second type of selection, generating a third graphical user interface, wherein the third graphical user interface is displayed on the user computing device to the user and provides details for performing the task.

“9. The system of claim 8, wherein the operations further comprise determining, based on the notification obligation, a timeframe within which the task is to be completed, and the first graphical user interface displays the task with the timeframe.

“10. The system of claim 8, wherein the operations further comprise analyzing an attribute of the data incident to determine a risk level associated with the data incident, wherein the notification obligation for the vendor is based on the risk level associated with the data incident.

“11. The system of claim 8, wherein the operations further comprise analyzing an attributes of the data incident to determine a scope of the data incident, wherein the notification obligation for the vendor is based on the scope of the data incident.

“12. The system of claim 8, wherein the first type of selection of the task comprises hovering a cursor over the task and the second type of selection of the task comprises clicking on the task.

“13. The system of claim 8, wherein the third graphical user interface comprises an upload section configured to allow the user to upload a communication sent to the vendor in satisfying the task.

“14. The system of claim 8, wherein the first graphical user interface displays the task with a status on a completion of the task and the third graphical user interface comprises a completion control and the operations further comprise: receiving an indication of a selection of the completion control; and responsive to receiving the indication of the selection of the completion control, having the status updated to reflect the completion of the task.

“15. A non-transitory computer-readable medium having program code that is stored thereon, the program code executable by one or more processing devices for performing operations comprising: receiving an indication of a data incident involving a breach of a data asset used for at least one of collecting, processing, storing, or transferring data; identifying a data model based on the data asset, wherein the data model (i) represents the data asset, (ii) identifies a flow of the data of at least one of to or from the data asset, and (iii) identifies a vendor attribute for the data asset; determining a vendor based on the vendor attribute, wherein the vendor attribute identifies the vendor at least one of controls or communicates with the data asset to at least one of collect, process, store, or transfer the data; determining a notification obligation for the vendor; identifying a task associated with satisfying the notification obligation; generating a first graphical user interface based on the task, wherein the first graphical user interface is displayed on a user computing device to a user and provides the task as selectable by the user; receiving an indication of a first type of selection of the task by the user on the first graphical user interface; responsive to receiving the indication of the first type of selection, generating a second graphical user interface, wherein the second graphical user interface is displayed on the user computing device to the user and provides a description of the task; receiving an indication of a second type of selection of the task by the user on the first graphical user interface; and responsive to receiving the indication of the second type of selection, generating a third graphical user interface, wherein the third graphical user interface is displayed on the user computing device to the user and provides details for performing the task.

“16. The non-transitory computer-readable medium of claim 15, wherein the first type of selection of the task comprises hovering a cursor over the task and the second type of selection of the task comprises clicking on the task.

“17. The non-transitory computer-readable medium of claim 15, wherein the third graphical user interface comprises at least one of a reason section providing the notification obligation or a task information section providing a response received from an individual assigned to perform the task.”

There are additional claims. Please visit full patent to read further.

For additional information on this patent, see: Barday, Kabir A. Data processing and scanning systems for assessing vendor risk. U.S. Patent Number 11416589, filed October 4, 2021, and published online on August 16, 2022. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=11416589.PN.&OS=PN/11416589RS=PN/11416589

(Our reports deliver fact-based news of research and discoveries from around the world.)