David Oberly focuses his legal practice on counseling, advising, and representing sophisticated clients in a broad assortment of biometric privacy, data privacy, and data security/cybersecurity compliance, risk management, and class action litigation matters, as well as providing data breach rapid incident response and crisis management services. David’s clients range from startups to Fortune 500 companies across a broad range of industries, including healthcare, financial services, technology, e-commerce, consumer products, social media, big data, transportation, energy, and professional services.
Outside of his day-to-day practice, David is also the Founder and Chair of the Cincinnati Bar Association’s Cybersecurity & Data Privacy Practice Group.
Biometric Privacy Litigation Defense & Compliance Counseling
David focuses a large portion of his practice on defending high-stakes, high-exposure biometric privacy class actions brought under the Illinois Biometric Information Privacy Act (“BIPA”). As a major thought leader in the biometric privacy space, David has developed an intricate understanding of the core strategies commonly relied on by plaintiffs’ attorneys to litigate BIPA class actions, as well as the range of defenses that can be applied in BIPA suits to defeat or limit BIPA class claims. David is able to leverage this in-depth knowledge of the most significant and complex issues that arise in all types of BIPA litigation to formulate innovative, winning litigation strategies that effectively posture BIPA cases for dispositive dismissals or favorable settlements. Beyond BIPA, David also defends class action lawsuits brought under other privacy laws and liability theories—including the California Consumer Privacy Act of 2018 (“CCPA”)—involving allegations of improper biometric data practices or other improper use of biometric technologies.
In addition, David also counsels and advises clients that collect, use, disclose, and store biometric data on the full range regulatory compliance obligations applicable today, as well as on managing potential liability exposure and risks. In doing so, David focuses on utilizing his clients’ biometric privacy compliance obligations in a positive manner that builds trust and loyalty with consumers and, in turn, provides his clients with a powerful competitive advantage in the marketplace.
In particular, David is skilled in developing tailored, comprehensive biometric privacy compliance programs for clients that ensure continued, ongoing compliance not just with current biometrics regulation, but with future laws as well—allowing clients to always stay a step ahead of today’s constantly-evolving biometric privacy regulation.
Data Privacy Regulatory Compliance & Risk Mitigation
In addition, David’s practice also includes advising companies on a broad range of privacy and data protection matters, including providing strategic and practical advice on compliance with the CCPA, General Data Protection Regulation (“GDPR”), New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation, Gramm-Leach-Bliley Act (“GLBA”), Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and Health Information Technology for Economic and Clinical Health Act (“HITECH”), among others. David is adept at developing robust and comprehensive data privacy and information security programs and policies that provide for full compliance with today’s increasingly complex web of federal and state laws, self-regulatory rules, and industry best practices. David also assists clients in conducting privacy audits and assessments of data privacy regulatory compliance procedures and practices to help identify and eliminate potential areas of liability relating to regulatory compliance.
David counsels and advises clients seeking to assess and manage potential liability exposure and risks on a broad range of privacy and data protection issues, including cybersecurity risk management, digital governance, consumer and employment privacy, incident response planning and preparedness, and vendor management. In doing so, David frequently assists clients in the assessment, development, and revision of cybersecurity and data privacy policies and procedures to safeguard data and minimize the risk of potential data compromise events.
Data Breach Incident Response
David also focuses his practice in the area of data breach incident response and crisis management. David regularly counsels clients with concerns about potential data breaches, and assists clients in incident response and crisis management following data breaches or other data compromise events. David has considerable experience in providing rapid incident response services in connection with a range of different types of breach events, including those involving ransomware, phishing, malware, payment card skimmers, and social media account hacking incidents. David is also experienced and skilled in handling all aspects of the incident response process, including post-incident forensic and regulatory investigations; notifications to impacted individuals and data protection regulators; interacting with law enforcement, intelligence communities, and privacy regulators; and implementing post-incident remediation plans.
Privacy/Data Breach Class Action Litigation Defense
David also represents clients in class actions brought in connection with data breaches and other privacy/cybersecurity incidents. David has substantial experience in a broad array of privacy and data security litigation matters across many industries, and is skilled in defending clients in a wide range of adversarial actions arising from data breaches and other privacy incidents, including actions brought under state consumer and privacy laws and actions against responsible vendors. David also is skilled at responding to non-malicious cyber events, including lost devices, operational errors, and inadvertent electronic transmissions.
In addition, David also assists in evaluating potential claims, assessing liability risks, and providing advice on appropriate responses to regulatory activities.
In addition to his day-to-day practice, David is one of the top legal thought leaders in the areas of biometric privacy, data privacy, and data protection/cybersecurity. Since 2015, David has published nearly 200 articles in distinguished local and national legal publications, including Bloomberg Law, Law360, Security Magazine, Legaltech News, Pratt’s Privacy & Cybersecurity Law Report, The Computer & Internet Lawyer, and SHRM. Beyond his article-publishing efforts, David also presents regularly to clients, industry groups, and his peers on a range of biometric privacy, privacy, and data protection/cybersecurity-related topics.
Outside the Firm
David attended the University of Cincinnati on a baseball scholarship, where he graduated cum laude from the Carl E. Linder College of Business with a degree in finance and international business. As a varsity athlete at UC, David received multiple academic honors and accolades, including the UC Topcat Scholar Athlete Award (the university’s highest academic distinction awarded to varsity student athletes), as well as the Conference USA Commissioner's Academic Honor Roll. David attended law school at the Indiana University (Bloomington) Maurer School of Law on a full-tuition, merit-based academic scholarship.