Researchers Submit Patent Application, “Data Processing And Scanning Systems For Assessing Vendor Risk”, for Approval (USPTO 20220300619): OneTrust LLC

2022 OCT 07 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- From Washington, D.C., NewsRx journalists report that a patent application by the inventor Brannon, Jonathan Blake (Smyrna, GA, US), filed on June 9, 2022, was made available online on September 22, 2022.

The patent’s assignee is OneTrust LLC (Atlanta, Georgia, United States).

News editors obtained the following quote from the background information supplied by the inventors: “Over the past years, privacy and security policies, and related operations have become increasingly important. Breaches in security, leading to the unauthorized access of personal data (which may include sensitive personal data) have become more frequent among companies and other organizations of all sizes. Such personal data may include, but is not limited to, personally identifiable information (PII), which may be information that directly (or indirectly) identifies an individual or entity. Examples of PII include names, addresses, dates of birth, social security numbers, and biometric identifiers such as a person’s fingerprints or picture. Other personal data may include, for example, customers’ Internet browsing habits, purchase history, or even their preferences (e.g., likes and dislikes, as provided or obtained through social media).

“Many organizations that obtain, use, and transfer personal data, including sensitive personal data, have begun to address these privacy and security issues. To manage personal data, many companies have attempted to implement operational policies and processes that comply with legal requirements, such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or the U.S.’s Health Insurance Portability and Accountability Act (HIPPA) protecting a patient’s medical information. Many regulators recommend conducting privacy impact assessments, or data protection risk assessments along with data inventory mapping. For example, the GDPR requires data protection impact assessments. Additionally, the United Kingdom ICO’s office provides guidance around privacy impact assessments. The OPC in Canada recommends certain personal information inventory practices, and the Singapore PDPA specifically mentions personal data inventory mapping.

“Many organizations have also begun to track the compliance of their vendors with privacy laws, regulations, and/or standards. This can be expensive and time consuming using traditional methods. Accordingly, there is a need for improved systems and methods for efficiently tracking the compliance of vendors with privacy laws, regulations, and/or standards, and for assessing the risk associated with doing business with a particular vendor.”

As a supplement to the background information on this patent application, NewsRx correspondents also obtained the inventor’s summary information for this patent application: “A method according to various embodiments, may include: executing, by computing hardware, a download of a software application from a computer system associated with a vendor; identifying, by the computing hardware and based on the download of the software application, a plurality of vendor attributes, wherein the plurality of vendor attributes comprises a privacy disclaimer associated with the software application; determining, by the computing hardware, factors for the plurality of vendor attributes, wherein determining the factors for the plurality of vendor attributes comprises determining a privacy disclaimer factor for the privacy disclaimer by: analyzing the privacy disclaimer to determine whether the privacy disclaimer comprises language associated with at least one of a legal requirement or an industry requirement; and determining the privacy disclaimer factor based on whether the privacy disclaimer comprises the language associated with the at least one of the legal requirement or the industry requirement; determining, by the computing hardware, a vendor risk rating based on the factors for the plurality of vendor attributes; generating, by the computing hardware and based on the vendor risk rating, a graphical user interface by configuring a navigation element on the graphical user interface and excluding a display element from the graphical user interface, wherein: the navigation element is configured for initiating a responsive action based on the vendor risk rating, and the display element is configured for presenting the vendor risk rating; transmitting, by the computing hardware, an instruction to a user device to present the graphical user interface on the user device; detecting, by the computing hardware, selection of the navigation element; and responsive to detecting the selection of the navigation element, initiating, by the computing hardware, the responsive action.

“In particular embodiments, the responsive action comprises: generating a second graphical user interface comprising an indication of the vendor risk rating and transmitting a second instruction to a third-party computing device to present the second graphical user interface on the third-party computing device. In particular embodiments, the second graphical user interface further comprises an indication of the software application. In particular embodiments, the responsive action comprises: generating an electronic communication comprising an indication of the vendor risk rating and transmitting the electronic communication to a third-party computing device. In particular embodiments, the factors for the plurality of vendor attributes comprise a security certification factor; and the method further comprises: analyzing computer code associated with the vendor to identify an indication of a security certification associated with the vendor; and determining the security certification factor based on the security certification. In particular embodiments, the factors for the plurality of vendor attributes comprise a security certification factor; and the method further comprises: scanning a website associated with the vendor to identify an image associated with a security certification associated with the vendor; and determining the security certification factor based on the security certification. In particular embodiments, determining the security certification factor based on the security certification comprises: accessing a database of security certifications to determine whether the vendor holds the security certification; and determining the security certification factor based on whether the vendor holds the security certification.

“A system, according to various embodiments, may include: a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer-readable medium, wherein the processing device is configured to execute the instructions and thereby perform operations comprising: downloading a software application from a computer system associated with a vendor; identifying a privacy disclaimer associated with the software application; determining a privacy disclaimer factor for the privacy disclaimer based on whether the privacy disclaimer comprises language associated with at least one of a legal requirement or an industry requirement; determining a vendor risk rating based on the privacy disclaimer factor; determining that the vendor risk rating meets a threshold risk rating; generating a graphical user interface based on determining that the vendor risk rating meets the threshold risk rating by configuring a first navigation element on the graphical user interface and excluding a second navigation element from the graphical user interface, wherein: the first navigation element is configured for initiating a responsive action based on the vendor risk rating meeting the threshold risk rating, and the second navigation element is configured for navigating to a display element that presents an indication that the vendor risk rating does not meet the threshold risk rating; transmitting an instruction to a user device to present the graphical user interface on the user device; detecting a selection of the first navigation element; and responsive to detecting the selection of the first navigation element, initiating the responsive action.

“In particular embodiments, identifying the privacy disclaimer associated with the software application comprises identifying the privacy disclaimer on a webpage provided by the vendor for downloading the software application. In particular embodiments, the vendor risk rating is further based on a public information factor; and the method further comprises determining the public information factor based on public information associated with the vendor. In particular embodiments, the public information comprises social networking website content. In particular embodiments, the public information comprises at least one of an employee title, an employee role, or an available job post. In particular embodiments, the public information comprises an indication of a contract between the vendor and a government entity. In particular embodiments, the vendor risk rating is further based on a third-party processor factor; and the method further comprises determining the third-party processor factor based on a webpage provided by the vendor for downloading the software application.

“A non-transitory computer-readable medium according to various embodiments, may store computer-executable instructions that, when executed by processing hardware, configure the processing hardware to perform operations comprising: downloading a software application from a computer system associated with a vendor; identifying a privacy disclaimer associated with the software application; determining a privacy disclaimer factor for the privacy disclaimer based on whether the privacy disclaimer comprises language associated with at least one of a legal requirement or an industry requirement; determining a vendor risk rating based on the privacy disclaimer factor; generating a graphical user interface based on determining that the vendor risk rating does not meet a threshold risk rating by configuring a first navigation element on the graphical user interface and excluding a second navigation element from the graphical user interface, wherein: the first navigation element is configured for initiating a responsive action based on the vendor risk rating not meeting the threshold risk rating, and the second navigation element is configured for initiating a second responsive action based on the vendor risk rating meeting the threshold risk rating; transmitting an instruction to a user device to present the graphical user interface on the user device; detecting a selection of the first navigation element; and responsive to detecting the selection of the first navigation element, initiating the first responsive action.

“In particular embodiments, determining the vendor risk rating based on the privacy disclaimer factor comprises a step for determining the vendor risk rating based on a plurality of vendor factors, wherein the plurality of vendor factors comprises the privacy disclaimer factor. In particular embodiments, determining the vendor risk rating based on the plurality of vendor factors comprises a step for applying a respective weighting factor to a respective vendor attribute to determine each of the plurality of vendor factors. In particular embodiments, the first responsive action comprises transferring the vendor risk rating to a current or potential customer of the vendor for use in assessing a risk of doing business with the vendor. In particular embodiments, identifying the privacy disclaimer associated with the software application comprises downloading the privacy disclaimer with the software application. In particular embodiments, identifying the privacy disclaimer associated with the software application comprises identifying the privacy disclaimer on a webpage generated by the vendor in response to downloading the software application.”

There is additional summary information. Please visit full patent to read further.”

The claims supplied by the inventors are:

“1. A method comprising: receiving, by computing hardware, a completed template from a vendor, the completed template including question/answer pairings regarding a particular product or service provided by the vendor; scanning, by the computing hardware, webpages associated with the vendor to identify vendor attributes, wherein the vendor attributes include a notification regarding operations conducted by the vendor; analyzing, by the computing hardware, the notification to identify key terms in the notification related to the particular product or service that is a subject of at least one question within the template; analyzing, by the computing hardware, content of the at least one of the question/answer pairings in the completed template to identify verification data originating from a third-party entity and verifying that the vendor has implemented, with respect to one or more vendor systems, one or more procedures required by the third-party entity; calculating, by the computing hardware, a vendor risk rating for the vendor based on: the verification data; the key terms in the notification; and the question/answer pairings from the template; and taking, by the computing hardware, an automated action based on the calculated vendor risk rating.

“2. The method of claim 1, wherein the vendor attributes comprise at least one of a certification held by the vendor or an award earned by the vendor.

“3. The method of claim 1, wherein the automated action comprises providing the vendor risk rating to a current or potential customer of the vendor for use in assessing a risk of engaging the particular product or service provided by the vendor.

“4. The method of claim 1, wherein the method further comprises: requesting, by the computing hardware, an updated version of the completed template from the vendor in response to determining that the particular product or service has been revised; receiving, by the computing hardware, the updated version of the completed template, the updated version comprising at least one revised question/answer paring; and calculating, by the computing hardware, the vendor risk rating for the vendor based on the updated version of the completed template and the at least one revised question/answer paring.

“5. The method of claim 1, wherein: the method further comprises determining at least one of employee titles, employee roles, or available job posts for the vendor from one or more third party social networking sites; and calculating the vendor risk rating based on the employee titles, employee roles, or available job posts for the vendor.

“6. The method of claim 1, wherein the particular product or service provided by the vendor includes at least one of a component or a raw material.

“7. The methhod of claim 1, further comprising: monitoring the webpages for changes to the vendor attributes; in response to identifying changes to the vendor attributes, modifying, by the computing hardware, the vendor risk rating based on the changes.

“8. A system comprising: a non-transitory computer-readable medium storing instructions; and a processing device communicatively coupled to the non-transitory computer-readable medium, wherein the processing device is configured to execute the instructions and thereby perform operations comprising: receiving, by computing hardware, a completed template from a vendor, the completed template including question/answer pairings regarding a particular product or service provided by the vendor; scanning, by the computing hardware, webpages associated with the vendor to identify vendor attributes, wherein the vendor attributes include an indication regarding operations conducted by the vendor; analyzing, by the computing hardware, the indication to identify an attestation related to the particular product or service that is a subject of at least one question within the template; analyzing content of the at least one of the question/answer pairings in the completed template to identify verification data originating from a third-party entity and verifying that the vendor has implemented, with respect to one or more vendor systems, one or more procedures required by the third-party entity; calculating a vendor risk rating for the vendor based on: the verification data; the attestation related to the product or service; and the question/answer pairings from the template; and facilitating an action based on the calculated vendor risk rating.

“9. The system of claim 8, wherein the operations further comprise: accessing, via a public data network, one or more databases to confirm a validity of the attestation; and calculating the vendor risk rating based on the validity of the attestation.

“10. The system of claim 8, wherein the vendor attributes comprise one or more policies implemented by the vendor.

“11. The system of claim 8, the operations further comprising: monitoring the webpages for updates; in response to identifying the updates, determining whether the updates affect the vendor attributes; and in response to determining that the updates affect the vendor attributes, calculating an updated vendor risk rating based on the affected vendor attributes.

“12. The system of claim 8, wherein the vendor attributes comprise at least one of a key partner of the vendor or a sub processor for the particular product or service provided by the vendor.

“13. The system of claim 8, the operations further comprising: accessing employment data for the vendor, the employment data comprising at least one of an employee title or an open job listing for the vendor; and calculating the vendor risk rating based on the employee title or the open job listing for the vendor.

“14. The system of claim 8, wherein the vendor attributes comprise at least one of a certification held by the vendor or an award earned by the vendor.

“15. A method comprising: receiving, by computing hardware, a completed template from a vendor, the completed template including question/answer pairings regarding a particular product or service provided by the vendor; scanning, by the computing hardware, webpages associated with the vendor to identify vendor attributes, wherein the vendor attributes include a policy regarding operations conducted by the vendor; analyzing, by the computing hardware, the notification to identify key terms in the policy related to the particular product or service that is a subject of at least one question within the template; analyzing, by the computing hardware, content of the at least one of the question/answer pairings in the completed template to identify verification data originating from a third-party entity and verifying that the vendor has implemented, with respect to one or more vendor systems, one or more procedures required by the third-party entity; calculating, by the computing hardware, a vendor risk rating for the vendor based on: the verification data; the key terms in the policy; and the question/answer pairings from the template; and facilitating, by the computing hardware, performance of an action based on the calculated vendor risk rating.

“16. The method of claim 15, wherein the action comprises providing the vendor risk rating to a current or potential customer of the vendor for use in assessing a risk of engaging the particular product or service provided by the vendor.

“17. The method of claim 15, wherein the particular product or service provided by the vendor includes at least one of a component or a raw material.

“18. The method of claim 15, further comprising: monitoring, by the computing hardware, the policy for changes; in response to identifying the changes, identifying, by the computing hardware, updated key terms; and calculating, by the computing hardware, an updated vendor risk rating based on the updated key terms.

“19. The method of claim 15, wherein the vendor attributes comprise at least one of a key partner of the vendor or a sub processor for the particular product or service provided by the vendor.

“20. The method of claim 15, wherein: the method further comprises determining at least one of employee titles, employee roles, or available job posts for the vendor from one or more third party social networking sites; and calculating the vendor risk rating is based on the employee titles, employee roles, or available job posts for the vendor.”

For additional information on this patent application, see: Brannon, Jonathan Blake. Data Processing And Scanning Systems For Assessing Vendor Risk. Filed June 9, 2022 and posted September 22, 2022. Patent URL: https://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220220300619%22.PGNR.&OS=DN/20220300619&RS=DN/20220300619

(Our reports deliver fact-based news of research and discoveries from around the world.)