Automated privacy enforcement

US 8,869,295 B2
Filed: 10/26/2009
Issued: 10/21/2014
Est. Priority Date: 10/26/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying, by a computing device having a processor and memory, a first plurality of business purpose activities associated with an entity;

assigning, by a computing device having a processor and memory, a second plurality of business purpose activities to each employee of a plurality of employees of the entity, the second plurality of business purpose activities being a subset of the first plurality of business purpose activities;

identifying, by the computing device, a plurality of data elements to be protected, the plurality of data elements including data elements internal to the entity and data elements received by the entity from a third party, the plurality of data elements being associated with at least one user of the entity;

assigning, by the computing device, a numeric access value to each data element of the plurality of data elements for each identified business purpose activity of the first plurality of business purpose activities, wherein the numeric access value indicates a level of access to the data element of the plurality of data elements to which it is assigned permitted for an employee of the entity acting under the respective business purpose activity; and

determining, by the computing device, whether a data element of the plurality of protected data elements associated with the at least one user of the entity is provided by a third-party entity different from the entity,wherein when it is determined that the data element is provided by the third-party entity, the numeric access value is conditioned on a preference of the at least one user of the entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method of protecting the privacy of data is presented. The system and method may include receiving data from a data warehouse and determining an access level for each data element received. The access value may be based on the assigned business purpose of the user attempting to access the data. If a user with an assigned business purpose is authorized to access the data then access will be given, if not, access to the data will be denied. In some examples, the requesting user may request to override the security settings in order to obtain access to the data.

14 Citations

20 Claims

1. A method comprising:
- identifying, by a computing device having a processor and memory, a first plurality of business purpose activities associated with an entity;
  
  assigning, by a computing device having a processor and memory, a second plurality of business purpose activities to each employee of a plurality of employees of the entity, the second plurality of business purpose activities being a subset of the first plurality of business purpose activities;
  
  identifying, by the computing device, a plurality of data elements to be protected, the plurality of data elements including data elements internal to the entity and data elements received by the entity from a third party, the plurality of data elements being associated with at least one user of the entity;
  
  assigning, by the computing device, a numeric access value to each data element of the plurality of data elements for each identified business purpose activity of the first plurality of business purpose activities, wherein the numeric access value indicates a level of access to the data element of the plurality of data elements to which it is assigned permitted for an employee of the entity acting under the respective business purpose activity; and
  
  determining, by the computing device, whether a data element of the plurality of protected data elements associated with the at least one user of the entity is provided by a third-party entity different from the entity,wherein when it is determined that the data element is provided by the third-party entity, the numeric access value is conditioned on a preference of the at least one user of the entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the plurality of business purpose activities are assigned to the each employee of the plurality of employees based on at least one of:
    - the employee'"'"'s job duties and the employee'"'"'s positions within the entity.
  - 3. The method of claim 1, further including;
    - receiving a request by an employee to access a first data element;
      
      identifying a first business purpose activity under which the employee is acting, the first business purpose activity being a business purpose activity of the second plurality of business purpose activities; and
      
      determining, based on a numeric access value assigned to the first data element, whether the first business purpose activity is authorized to access the first data element.
  - 4. The method of claim 3, further including, responsive to determining that the first business purpose activity is authorized to access the first data element, providing the employee access to the first data element.
  - 5. The method of claim 4, wherein providing access to the first data element includes generating a view including the first data element, and providing access to the first data element occurs in response to:
    - determining that access to the first data element is conditioned on the preference of the user associated with the first data element; and
      
      determining that the preference of the user indicates that the user has consented to share the first data element.
  - 6. The method of claim 3, further including:
    - responsive to determining that the first business purpose activity is authorized to access the first data element, determining that access to the first data element is conditioned on the preference of the user associated with the first data element;
      
      determining that the preference of the user indicates that the user has not consented to share the first data element,denying access to the first data element; and
      
      generating a view that does not include the data element.
  - 7. The method of claim 1, wherein assigning the numeric access value to each data element for each identified business purpose activity of the first plurality of business purpose activities includes selecting from one of at least three numeric access values for each data element for each business purpose activity of the first plurality of business purpose activities:
    - a first numeric access value indicating that employees associated with the respective business purpose activity have access to the data element;
      
      a second numeric access value indicating that employees associated with the respective business purpose activity do not have access to the data element; and
      
      a third numeric access value indicating that employees associated with the respective business purpose activity have conditional access to the data element based on the preference of the at least one user.
  - 8. The method of claim 1, further comprising:
    - receiving, by the computing device, a first request by the employee to access a first data element, the employee being assigned the second plurality of business purpose activities;
      
      identifying a first business purpose activity of the second plurality of business purpose activities under which the employee is acting;
      
      determining, based on a numeric access value assigned to the first data element, whether the first business purpose activity is authorized to access the first data element;
      
      responsive to determining that the first business purpose activity is not authorized to access the first data element, receiving a second request by the employee to access the first data element;
      
      identifying a second business purpose activity of the second plurality of business purpose activities under which the employee is acting;
      
      determining, based on the numeric access value assigned to the first data element, whether the second business purpose activity is authorized to access the first data element; and
      
      responsive to determining that the second business purpose is authorized to access the first data element,generating, by the computing device, a display for the employee, wherein the display displays the first data element.

9. One or more non-transitory computing readable media storing computer readable instructions that, when executed by a processor, cause one or more computing devices to:
- identify a first plurality of business purpose activities associated with an entity;
  
  assign a second plurality of business purpose activities to each employee of a plurality of employees of the entity, the second plurality of business purpose activities being a subset of the first plurality of business purpose activities;
  
  identify a plurality of data elements to be protected, the plurality of data elements including data elements internal to the entity and data elements received by the entity from a third party, the plurality of data elements being associated with at least one user of the entity;
  
  assign a numeric access value to each data element of the plurality of data elements for each identified business purpose activity of the first plurality of business purpose activities, wherein the numeric access value indicates a level of access to the data element of the plurality of data elements to which it is assigned permitted for an employee of the entity acting under the respective business purpose activity; and
  
  determine whether a data element of the plurality of protected data elements associated with the at least one user of the entity is provided by a third-party entity different from the entity, wherein when it is determined that the data element is provided by the third-party entity, the numeric access value is conditioned on a preference of the at least one user of the entity.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The one or more non-transitory computer-readable media of claim 9, wherein the plurality of business purpose activities are assigned to the each employee of the plurality of employees based on at least one of:
    - the employee'"'"'s job duties and the employee'"'"'s positions within the entity.
  - 11. The one or more non-transitory computer-readable media of claim 9, further including instructions that, when executed, cause the one or more computing devices to:
    - receive a request by an employee to access a first data element;
      
      identify a first business purpose activity under which the employee is acting, the first business purpose activity being a business purpose activity of the second plurality of business purpose activities; and
      
      determine, based on the numeric access value assigned to the first data element, whether the first business purpose activity is authorized to access the first data element.
  - 12. The one or more non-transitory computer-readable media of claim 11, further including instructions that, when executed, cause the one or more computing devices to:
    - responsive to determining that the first business purpose activity is authorized to access the first data element, provide the employee access to the first data element.
  - 13. The one or more non-transitory computer-readable media of claim 12, wherein providing access to the first data element includes generating a view including the first data element, and providing access to the first data element occurs in response to:
    - determining that access to the first data element is conditioned on the preference of the user associated with the first data element; and
      
      determining that the preference of the user indicates that the user has consented to share the first data element.
  - 14. The one or more non-transitory computer-readable media of claim 11, further including instructions that, when executed, cause the one or more computing devices to:
    - responsive to determining that the first business purpose activity is authorized to access the first data element, determine that access to the first data element is conditioned on the preference of the user associated with the first data element;
      
      determine that the preference of the user indicates that the user has not consented to share the first data element, denying access to the first data element; and
      
      generate a view that does not include the data element.

15. An apparatus, comprising:
- a processor; and
  
  memory coupled to the processor and storing instructions that, when executed by the processor, cause the apparatus to;
  
  identify a first plurality of business purpose activities associated with an entity;
  
  assign a second plurality of business purpose activities to each employee of a plurality of employees of the entity, the second plurality of business purpose activities being a subset of the first plurality of business purpose activities;
  
  identify a plurality of data elements to be protected, the plurality of data elements including data elements internal to the entity and data elements received by the entity from a third party, the plurality of data elements being associated with at least one user of the entity;
  
  assign a numeric access value to each data element of the plurality of data elements for each identified business purpose activity of the first plurality of business purpose activities, wherein the numeric access value indicates a level of access to the data element of the plurality of data elements to which it is assigned permitted for an employee of the entity acting under the respective business purpose activity; and
  
  determine whether a data element of the plurality of protected data elements associated with the at least one user of the entity is provided by a third-party entity different from the entity,wherein when it is determined that the data element is provided by the third-party entity, the numeric access value is conditioned on a preference of the at least one user of the entity.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein the plurality of business purpose activities are assigned to the each employee of the plurality of employees based on at least one of:
    - the employee'"'"'s job duties and the employee'"'"'s positions within the entity.
  - 17. The apparatus of claim 15, further including instructions that, when executed, cause the apparatus to:
    - receive a request by an employee to access a first data element;
      
      identify a first business purpose activity under which the employee is acting, the first business purpose activity being a business purpose activity of the second plurality of business purpose activities; and
      
      determine, based on the numeric access value assigned to the first data element, whether the first business purpose activity is authorized to access the first data element.
  - 18. The apparatus of claim 17, further including instructions that, when executed, cause the one or more computing devices to:
    - responsive to determining that the first business purpose activity is authorized to access the first data element, provide the employee access to the first data element.
  - 19. The apparatus of claim 18, wherein providing access to the first data element includes generating a view including the first data element, and providing access to the first data element occurs in response to:
    - determining that access to the first data element is conditioned on the preference of the user associated with the first data element; and
      
      determining that the preference of the user indicates that the user has consented to share the first data element.
  - 20. The apparatus of claim 17, further including instructions that, when executed, cause the one or more computing devices to:
    - responsive to determining that the first business purpose activity is authorized to access the first data element, determine that access to the first data element is conditioned on the preference of the user associated with the first data element;
      
      determine that the preference of the user indicates that the user has not consented to share the first data element, denying access to the first data element; and
      
      generate a view that does not include the data element.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Harvey, Ann Charlot Hunaeus, Gerrard, Joan L.
Primary Examiner(s)
EDWARDS, LINGLAN E

Application Number

US12/605,691
Publication Number

US 20110099643A1
Time in Patent Office

1,821 Days
Field of Search

726/26, 726/27, 726/28, 726/29, 707/999.001, 707/999.002, 707/999.009
US Class Current

726/27
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2141   Access rights, e.g. capabil...

G06Q 10/06   Resources, workflows, human...

G06Q 10/10   Office automation; Time man...

H04L 63/102   Entity profiles

Automated privacy enforcement

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automated privacy enforcement

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links