David J. Oberly


David Oberly focuses his legal practice on counseling, advising, and representing sophisticated clients in a broad assortment of biometric privacy, data privacy, and data security/cybersecurity compliance, risk management, and class action litigation matters, as well as providing data breach rapid incident response and crisis management services. David’s clients range from startups to Fortune 500 companies across a broad range of industries, including healthcare, financial services, technology, e-commerce, consumer products, social media, big data, transportation, energy, and professional services.

Outside of his day-to-day practice, David is also the Founder and Chair of the Cincinnati Bar Association’s Cybersecurity & Data Privacy Practice Group.

Biometric Privacy Litigation Defense & Compliance Counseling

David focuses a large portion of his practice on defending high-stakes, high-exposure biometric privacy class actions brought under the Illinois Biometric Information Privacy Act (“BIPA”). As a major thought leader in the biometric privacy space, David has developed an intricate understanding of the core strategies commonly relied on by plaintiffs’ attorneys to litigate BIPA class actions, as well as the range of defenses that can be applied in BIPA suits to defeat or limit BIPA class claims. David is able to leverage this in-depth knowledge of the most significant and complex issues that arise in all types of BIPA litigation to formulate innovative, winning litigation strategies that effectively posture BIPA cases for dispositive dismissals or favorable settlements. Beyond BIPA, David also defends class action lawsuits brought under other privacy laws and liability theories—including the California Consumer Privacy Act of 2018 (“CCPA”)—involving allegations of improper biometric data practices or other improper use of biometric technologies.

In addition, David also counsels and advises clients that collect, use, disclose, and store biometric data on the full range regulatory compliance obligations applicable today, as well as on managing potential liability exposure and risks. In doing so, David focuses on utilizing his clients’ biometric privacy compliance obligations in a positive manner that builds trust and loyalty with consumers and, in turn, provides his clients with a powerful competitive advantage in the marketplace.

In particular, David is skilled in developing tailored, comprehensive biometric privacy compliance programs for clients that ensure continued, ongoing compliance not just with current biometrics regulation, but with future laws as well—allowing clients to always stay a step ahead of today’s constantly-evolving biometric privacy regulation.

Data Privacy Regulatory Compliance & Risk Mitigation

In addition, David’s practice also includes advising companies on a broad range of privacy and data protection matters, including providing strategic and practical advice on compliance with the CCPA, General Data Protection Regulation (“GDPR”), New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation, Gramm-Leach-Bliley Act (“GLBA”), Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and Health Information Technology for Economic and Clinical Health Act (“HITECH”), among others. David is adept at developing robust and comprehensive data privacy and information security programs and policies that provide for full compliance with today’s increasingly complex web of federal and state laws, self-regulatory rules, and industry best practices. David also assists clients in conducting privacy audits and assessments of data privacy regulatory compliance procedures and practices to help identify and eliminate potential areas of liability relating to regulatory compliance.

David counsels and advises clients seeking to assess and manage potential liability exposure and risks on a broad range of privacy and data protection issues, including cybersecurity risk management, digital governance, consumer and employment privacy, incident response planning and preparedness, and vendor management. In doing so, David frequently assists clients in the assessment, development, and revision of cybersecurity and data privacy policies and procedures to safeguard data and minimize the risk of potential data compromise events.

Data Breach Incident Response

David also focuses his practice in the area of data breach incident response and crisis management. David regularly counsels clients with concerns about potential data breaches, and assists clients in incident response and crisis management following data breaches or other data compromise events. David has considerable experience in providing rapid incident response services in connection with a range of different types of breach events, including those involving ransomware, phishing, malware, payment card skimmers, and social media account hacking incidents. David is also experienced and skilled in handling all aspects of the incident response process, including post-incident forensic and regulatory investigations; notifications to impacted individuals and data protection regulators; interacting with law enforcement, intelligence communities, and privacy regulators; and implementing post-incident remediation plans.

Privacy/Data Breach Class Action Litigation Defense

David also represents clients in class actions brought in connection with data breaches and other privacy/cybersecurity incidents. David has substantial experience in a broad array of privacy and data security litigation matters across many industries, and is skilled in defending clients in a wide range of adversarial actions arising from data breaches and other privacy incidents, including actions brought under state consumer and privacy laws and actions against responsible vendors. David also is skilled at responding to non-malicious cyber events, including lost devices, operational errors, and inadvertent electronic transmissions.

In addition, David also assists in evaluating potential claims, assessing liability risks, and providing advice on appropriate responses to regulatory activities.

Thought Leader

In addition to his day-to-day practice, David is one of the top legal thought leaders in the areas of biometric privacy, data privacy, and data protection/cybersecurity. Since 2015, David has published nearly 200 articles in distinguished local and national legal publications, including Bloomberg Law, Law360, Security Magazine, Legaltech News, Pratt’s Privacy & Cybersecurity Law Report, The Computer & Internet Lawyer, and SHRM. Beyond his article-publishing efforts, David also presents regularly to clients, industry groups, and his peers on a range of biometric privacy, privacy, and data protection/cybersecurity-related topics.

Outside the Firm

David attended the University of Cincinnati on a baseball scholarship, where he graduated cum laude from the Carl E. Linder College of Business with a degree in finance and international business. As a varsity athlete at UC, David received multiple academic honors and accolades, including the UC Topcat Scholar Athlete Award (the university’s highest academic distinction awarded to varsity student athletes), as well as the Conference USA Commissioner's Academic Honor Roll. David attended law school at the Indiana University (Bloomington) Maurer School of Law on a full-tuition, merit-based academic scholarship.


  • Serve as day-to-day biometric privacy and privacy/data protection counsel for national online eyewear brand client.
  • Serve as day-to-day biometric privacy and privacy/data protection counsel for national banking institution client.
  • Obtained dismissal of national online eyewear brand in putative Illinois Biometric Information Privacy Act (“BIPA”) class action involving allegations of improper collection and possession of consumer facial template data in connection with client’s virtual try-on technology.
  • Obtained dismissal of national party store chain in putative BIPA class action involving allegations of improper collection and possession of employee fingerprints in connection with use of biometric timeclock.  
  • Represented national food producer in putative BIPA class action involving allegations of improper collection, possession, and disclosure of employee fingerprints in connection with use of biometric timeclock; secured settlement favorable to client prior to expiration of client’s responsive pleading deadline.
  • Counseled and advised numerous corporate clients on rapidly-changing legal landscape of biometric privacy and compliance with BIPA; Texas Capture or Use of Biometric Identifier Act (“CUBI”); Portland, Oregon, private-sector facial recognition ban; New York City biometric privacy ordinance; and similar biometric privacy laws and regulations.
  • Developed numerous tailored biometric privacy compliance programs—involving, among other things, creation of customized biometric privacy policies, notices, written consent forms, and online consumer arbitration agreements and class action waivers—for corporate clients across a wide variety of industries.
  • Obtained summary judgment in defense of national banking association in putative Fair Credit Reporting Act (“FCRA”) consumer privacy class action.
  • Obtained dispositive dismissal of national banking association client in putative consumer privacy overdraft fee class action.
  • Currently representing multinational eyewear brand in putative Florida Security of Communications Act (“FSCA”) wiretap act class action involving allegations of improper interception of website visitors’ personal information through use of session replay technology.
  • Represented Fortune 50 company in data privacy litigation involving inadvertent disclosure of sensitive and confidential customer personal information. 
  • Counseled and advised corporate clients across different industries regarding compliance with the California Consumer Privacy Act ("CCPA"), New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), and similar consumer privacy laws.
  • Provided rapid incident response services for corporate clients in numerous sectors following data breach incidents and counseled clients regarding concerns about potential data breaches.
  • Performed privacy due diligence for wide variety of clients engaged in M&A transactions.

News & Views

See all News and Views


  • 2018–2022, “Rising Star,” listed in Ohio Super Lawyers
  • 2021, Top Cybersecurity Author, JD Supra Readers’ Choice Award 
  • 2018, Cincinnati Academy of Leadership for Lawyers Class 22 Participant
  • 2018, “Outstanding Young Lawyer Award,” by Ohio Association of Civil Trial Attorneys



  • American Bar Association
  • Cincinnati Bar Association
  • Ohio State Bar Association
Professional Activities
  • 2021: Vice Chair, American Bar Association Tort Trial & Insurance Practice Section Cybersecurity & Data Privacy Committee
  • 2020–Present: Feature Writer, The Daily Swig
  • 2020–Present: Founder/Chair, Cincinnati Bar Association Cybersecurity & Data Privacy Practice Group
  • 2019–Present: Chair, Cincinnati Bar Association Membership Services & Development Committee
  • 2020–Present: Member, Cincinnati Bar Association Awards Committee
  • 2019–Present: Member, Ohio State Bar Association Young Lawyers Council
  • 2019–Present: Member, Ohio Association of Civil Trial Attorneys Board of Trustees
  • 2020–Present: Member, Ohio Association of Civil Trial Attorneys Awards Committee
  • 2017–Present: Chair, Ohio Association of Civil Trial Attorneys Social Media Committee
  • 2019–Present: Member, United Way of Greater Cincinnati Emerging Leaders
  • 2020–Present: 2004 Class Captain, Moeller High School (Alumni Engagement)



  • Pennsylvania
  • Ohio
  • U.S. District Court - Northern District of Ohio
  • U.S. District Court - Southern District of Ohio
  • United States Court of Appeals for the Sixth Circuit
  • Supreme Court of Ohio


  • Indiana University School of Law-Bloomington, JD
  • University of Cincinnati, BBA, cum laude