Privacy management systems and methods

US 10,885,485 B2
Filed: 03/04/2020
Issued: 01/05/2021
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented data processing method for prioritizing data breach response activities, the method comprising:

generating, by one or more computer processors, a data breach information interface soliciting a first affected jurisdiction, a second affected jurisdiction, and data breach information;

presenting, by the one or more computer processors, the data breach information interface to a user;

receiving, by the one or more computer processors from the user via the data breach information interface, an indication of the first affected jurisdiction, an indication of the second affected jurisdiction, and the data breach information;

determining, by the one or more computer processors based on the first affected jurisdiction and the data breach information, a first reporting failure penalty for the first affected jurisdiction;

determining, by the one or more computer processors based on the first affected jurisdiction and the data breach information, a first reporting deadline for the first affected jurisdiction;

determining, by the one or more computer processors based on the first reporting failure penalty and the first reporting deadline, a first reporting score for the first affected jurisdiction;

determining, by the one or more computer processors based on the second affected jurisdiction and the data breach information, a second reporting failure penalty for the second affected jurisdiction;

determining, by the one or more computer processors based on the second affected jurisdiction and the data breach information, a second reporting deadline for the second affected jurisdiction;

determining, by the one or more computer processors based on the second reporting failure penalty and the second reporting deadline, a second reporting score for the second affected jurisdiction;

determining, by the one or more computer processors, that the first reporting score is greater than the second reporting score;

generating, by the one or more computer processors, a data breach response interface comprising a checklist, the checklist comprising a first checklist item associated with the first affected jurisdiction and a second checklist item associated with the second affected jurisdiction, wherein, based on determining that the first reporting score is greater than the second reporting score, the first checklist item is presented earlier in the checklist than the second checklist item;

presenting, by the one or more computer processors to the user, the data breach response interface;

detecting, by the one or more computer processors, an activation by the user of the first checklist item; and

storing, in a memory by the one or more computer processors, an indication of completion of the first checklist item.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data processing systems and methods, according to various embodiments, are adapted for mapping various questions regarding a data breach from a master questionnaire to a plurality of territory-specific data breach disclosure questionnaires. The answers to the questions in the master questionnaire are used to populate the territory-specific data breach disclosure questionnaires and determine whether disclosure is required in territory. The system can automatically notify the appropriate regulatory bodies for each territory where it is determined that data breach disclosure is required.

1102 Citations

20 Claims

1. A computer-implemented data processing method for prioritizing data breach response activities, the method comprising:
- generating, by one or more computer processors, a data breach information interface soliciting a first affected jurisdiction, a second affected jurisdiction, and data breach information;
  
  presenting, by the one or more computer processors, the data breach information interface to a user;
  
  receiving, by the one or more computer processors from the user via the data breach information interface, an indication of the first affected jurisdiction, an indication of the second affected jurisdiction, and the data breach information;
  
  determining, by the one or more computer processors based on the first affected jurisdiction and the data breach information, a first reporting failure penalty for the first affected jurisdiction;
  
  determining, by the one or more computer processors based on the first affected jurisdiction and the data breach information, a first reporting deadline for the first affected jurisdiction;
  
  determining, by the one or more computer processors based on the first reporting failure penalty and the first reporting deadline, a first reporting score for the first affected jurisdiction;
  
  determining, by the one or more computer processors based on the second affected jurisdiction and the data breach information, a second reporting failure penalty for the second affected jurisdiction;
  
  determining, by the one or more computer processors based on the second affected jurisdiction and the data breach information, a second reporting deadline for the second affected jurisdiction;
  
  determining, by the one or more computer processors based on the second reporting failure penalty and the second reporting deadline, a second reporting score for the second affected jurisdiction;
  
  determining, by the one or more computer processors, that the first reporting score is greater than the second reporting score;
  
  generating, by the one or more computer processors, a data breach response interface comprising a checklist, the checklist comprising a first checklist item associated with the first affected jurisdiction and a second checklist item associated with the second affected jurisdiction, wherein, based on determining that the first reporting score is greater than the second reporting score, the first checklist item is presented earlier in the checklist than the second checklist item;
  
  presenting, by the one or more computer processors to the user, the data breach response interface;
  
  detecting, by the one or more computer processors, an activation by the user of the first checklist item; and
  
  storing, in a memory by the one or more computer processors, an indication of completion of the first checklist item.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented data processing method of claim 1, wherein the data breach information interface solicits a third affected jurisdiction, the method further comprising:
    - receiving, by the one or more computer processors from the user via the data breach information interface, an indication of the third affected jurisdiction;
      
      determining, by the one or more computer processors based on the third affected jurisdiction and the data breach information, a third reporting failure penalty for the third affected jurisdiction;
      
      determining, by the one or more computer processors based on the third affected jurisdiction and the data breach information, a third reporting deadline for the third affected jurisdiction;
      
      determining, by the one or more computer processors based on the third reporting failure penalty and the third reporting deadline, a third reporting score for the first third affected jurisdiction; and
      
      determining, by the one or more computer processors based on the third reporting score, to generate the data breach response interface comprising the checklist, wherein no checklist item on the checklist is associated with the third affected jurisdiction.
  - 3. The computer-implemented data processing method of claim 1, further comprising:
    - determining, based on the first affected jurisdiction and the data breach information, a first cure period for the first affected jurisdiction; and
      
      determining, based on the second affected jurisdiction and the data breach information, a second cure period for the second affected jurisdiction.
  - 4. The computer-implemented data processing method of claim 1, further comprising:
    - determining, based on the first affected jurisdiction and the data breach information, a first business value for the first affected jurisdiction; and
      
      determining, based on the second affected jurisdiction and the data breach information, a second business value for the second affected jurisdiction;
      
      wherein determining the first reporting score for the first affected jurisdiction is further based on the first business value, and wherein determining the second reporting score for the second affected jurisdiction is further based on the second business value.
  - 5. The computer-implemented data processing method of claim 1, wherein the data breach information comprises at least one of a number of affected users, a data breach discovery date, a data breach discovery time, a data breach occurrence date, a data breach occurrence time, a personal data type, or a data breach discovery method.
  - 6. The computer-implemented data processing method of claim 1, further comprising:
    - determining, based on the first affected jurisdiction and the data breach information, a first plurality of data breach response requirements for the first affected jurisdiction; and
      
      determining, based on the second affected jurisdiction and the data breach information, a second plurality of data breach response requirements for the second affected jurisdiction;
      
      wherein the first checklist item corresponds to a respective first requirement of the first plurality of data breach response requirements, and wherein second checklist item corresponds to a respective second requirement of the second plurality of data breach response requirements.
  - 7. The computer-implemented data processing method of claim 1, wherein the data breach information interface and the data breach response interface are presented to the user via a web browser.

8. A computer-implemented data processing method for prioritizing data breach response activities, the method comprising:
- generating, by one or more computer processors, a data breach information interface soliciting a first affected jurisdiction, a second affected jurisdiction, and data breach information;
  
  presenting, by the one or more computer processors, the data breach information interface to a user;
  
  receiving, by the one or more computer processors from the user via the data breach information interface, an indication of the first affected jurisdiction, an indication of the second affected jurisdiction, and the data breach information;
  
  determining, by the one or more computer processors based on the first affected jurisdiction and the data breach information, first reporting requirements for the first affected jurisdiction;
  
  determining, by the one or more computer processors based on the first affected jurisdiction and the data breach information, first enforcement characteristics for the first affected jurisdiction;
  
  determining, by the one or more computer processors based on the first reporting requirements and the first enforcement characteristics, a first reporting score for the first affected jurisdiction;
  
  determining, by the one or more computer processors based on the second affected jurisdiction and the data breach information, second reporting requirements for the second affected jurisdiction;
  
  determining, by the one or more computer processors based on the second affected jurisdiction and the data breach information, second enforcement characteristics for the second affected jurisdiction;
  
  determining, by the one or more computer processors based on the second reporting requirements and the second enforcement characteristics, a second reporting score for the second affected jurisdiction;
  
  assigning, by the one or more computer processors based on the first reporting score, a first visual indicator to the first affected jurisdiction;
  
  assigning, by the one or more computer processors based on the second reporting score, a second visual indicator to the second affected jurisdiction;
  
  generating, by the one or more computer processors, a data breach response map, the data breach response map comprising the first visual indicator and the second visual indicator;
  
  presenting, by the one or more computer processors to the user, the data breach response map;
  
  detecting, by the one or more computer processors via the data breach response map, a selection by the user of the first visual indicator;
  
  responsive to detecting the selection of the first visual indicator, generating, by the one or more computer processors, a first graphical listing of the first reporting requirements; and
  
  presenting, by the one or more computer processors to the user, the first graphical listing of the first reporting requirements.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-implemented data processing method of claim 8, wherein the first visual indicator is a first color, wherein the second visual indicator is a second color, and wherein generating the data breach response map comprises:
    - generating a first visual representation of the first affected jurisdiction in the first color; and
      
      generating a second visual representation of the second affected jurisdiction in the second color.
  - 10. The computer-implemented data processing method of claim 8, wherein the first visual indicator is a first texture, wherein the second visual indicator is a second texture, and wherein generating the data breach response map comprises:
    - generating a first visual representation of the first affected jurisdiction in the first texture; and
      
      generating a second visual representation of the second affected jurisdiction in the second texture.
  - 11. The computer-implemented data processing method of claim 8, wherein the first enforcement characteristics comprise a first data breach reporting deadline and a first data breach reporting failure penalty, and wherein the second enforcement characteristics comprise a second data breach reporting deadline and a second data breach reporting failure penalty.
  - 12. The computer-implemented data processing method of claim 8, wherein the data breach information comprises at least one of a number of affected users, a data breach discovery date, a data breach discovery method, or a type of personal data.
  - 13. The computer-implemented data processing method of claim 8, wherein the data breach information comprises a first business value for the first affected jurisdiction and a second business value for the second affected jurisdiction.
  - 14. The computer-implemented data processing method of claim 13, wherein determining the first reporting score for the first affected jurisdiction is further based on the first business value, and wherein determining the second reporting score for the second affected jurisdiction is further based on the second business value.

15. A data breach response prioritization system comprising:
- one or more processors; and
  
  computer memory, wherein the data breach response prioritization system is configured for;
  
  generating a data breach information interface soliciting a first affected jurisdiction, a second affected jurisdiction, and data breach information;
  
  presenting the data breach information interface to a user;
  
  receiving, from the user via the data breach information interface, an indication of the first affected jurisdiction, an indication of the second affected jurisdiction, and the data breach information;
  
  determining, based on the first affected jurisdiction and the data breach information, a first plurality of data breach response requirements for the first affected jurisdiction, a first reporting deadline for the first affected jurisdiction, and a first reporting failure penalty for the first affected jurisdiction;
  
  determining, based on the second affected jurisdiction and the data breach information, a second plurality of data breach response requirements for the second affected jurisdiction, a second reporting deadline for the second affected jurisdiction, and a second reporting failure penalty for the second affected jurisdiction;
  
  determining a first reporting score for the first affected jurisdiction based on the first plurality of data breach response requirements, the first reporting deadline, and the first reporting failure penalty;
  
  determining a second reporting score for the second affected jurisdiction based on the second plurality of data breach response requirements, the second reporting deadline, and the second reporting failure penalty;
  
  assigning a first color to the first affected jurisdiction based on the first reporting score;
  
  assigning a second color to the second affected jurisdiction based on the second reporting score;
  
  generating a data breach response map comprising a first visual representation of the first affected jurisdiction in the first color and a second visual representation of the second affected jurisdiction in the second color;
  
  presenting the data breach response map to the user;
  
  detecting a selection of the first visual representation of the first affected jurisdiction by the user;
  
  responsive to detecting the selection of the first visual representation of the first affected jurisdiction, generating a first graphical listing of the first plurality of data breach response requirements; and
  
  presenting the first graphical listing of the first plurality of data breach response requirements to the user.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The data breach response prioritization system of claim 15, wherein the data breach information interface further solicits a third affected jurisdiction, and wherein the data breach response system is further configured for:
    - receiving, from the user via the data breach information interface, an indication of the third affected jurisdiction;
      
      determining, based on the third affected jurisdiction and the data breach information, a third plurality of data breach response requirements for the third affected jurisdiction, a third reporting deadline for the third affected jurisdiction, and a third reporting failure penalty for the third affected jurisdiction;
      
      determining a third reporting score for the third affected jurisdiction based on the third plurality of data breach response requirements, the third reporting deadline, and the third reporting failure penalty;
      
      assigning a color indicating that no data breach response is required to the third affected jurisdiction based on the third reporting score; and
      
      generating the data breach response map comprising a third visual representation of the third affected jurisdiction in the color indicating that no data breach response is required.
  - 17. The data breach response prioritization system of claim 16, wherein assigning the color indicating that no data breach response is required to the third affected jurisdiction based on the third reporting score comprises determining that the third reporting score fails to meet a threshold.
  - 18. The data breach response prioritization system of claim 15, wherein assigning the first color to the first affected jurisdiction based on the first reporting score comprises determining that the first reporting score meets a first threshold, and wherein assigning the second color to the second affected jurisdiction based on the second reporting score comprises determining that the second reporting score meets a second threshold.
  - 19. The data breach response prioritization system of claim 15, wherein the data breach information comprises at least one of a number of affected users, a data breach discovery date, a data breach discovery time, a data breach occurrence date, a data breach occurrence time, a personal data type, or a data breach discovery method.
  - 20. The data breach response prioritization system of claim 15, wherein the first plurality of data breach response requirements comprises at least one of a notification to a regulatory agency, a notification to affected data subjects, or a notification to an internal organization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Brannon, Jonathan Blake, Clearwater, Andrew, Philbrook, Brian, Hecht, Trey, Johnson, Wesley, Pavlichek, Nicholas Ian
Primary Examiner(s)
Plecha, Thaddeus J

Application Number

US16/808,503
Publication Number

US 20200202271A1
Time in Patent Office

307 Days
Field of Search
US Class Current
CPC Class Codes

G06F 15/76   Architectures of general pu...

G06F 16/95   Retrieval from the web

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6245   Protecting personal data, e...

G06Q 10/0635   Risk analysis of enterprise...

G06Q 10/067   Enterprise or organisation ...

Privacy management systems and methods

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

1102 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Privacy management systems and methods

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1102 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links