David Oberly is a senior associate in the Data Privacy, Cybersecurity & Digital Assets Practice. David focuses his practice on providing sophisticated advice and guidance to corporate clients on a broad assortment of biometric privacy, data privacy and security/data protection matters. David’s clients range from startups to Fortune 50 companies and extend across myriad industries, including advertising, media, retail, consumer products, technology, e-commerce, financial services, social media and healthcare.

    Outside of his day-to-day practice, David is the founder and chair of the Cincinnati Bar Association’s Cybersecurity & Data Privacy Practice Group, as well as a vice chair of the American Bar Association’s Cybersecurity & Data Privacy Committee.

    Biometric Privacy Compliance and Risk Management Counseling

    As a recognized thought leader in the biometric privacy space, David focuses a large portion of his practice on serving as the go-to expert for companies that utilize biometrics in their operations – counseling clients on the full range of legal and regulatory compliance obligations applicable today, as well as on managing potential legal exposure and liability risks. Using his subject matter expertise in biometrics, David provides guidance across the spectrum of varying biometric privacy issues that arise when leveraging biometrics in commercial operations today, helping companies navigate the ever-evolving biometric privacy legal landscape to ensure compliance and mitigate risk.

    David also regularly develops tailored, organization-wide biometric privacy programs in connection with all types of biometric technologies to ensure continued, ongoing compliance with both current and anticipated legal requirements – allowing clients to always stay a step ahead of today’s ever-expanding web of biometric privacy regulation.

    Privacy, Security and Data Protection Compliance and Risk Management Counseling

    In addition, David serves as the trusted privacy advisor to a wide variety of companies, providing compliance and risk management guidance on a broad assortment of privacy, security and data protection issues that businesses face in today’s highly digital world.

    In particular, David frequently works with clients in providing advice and guidance on compliance with today’s new consumer privacy laws, including the CCPA, CPRA, CDPA and CPA, as well as a range of other state and federal data privacy and protection laws, such as the New York SHIELD Act, NYDFS Part 500 Cybersecurity Regulation, Florida Security of Communications Act (FSCA), GLBA, HIPAA and FCRA, among others.

    David also works with clients in operationalizing compliance through the design, development and implementation of organization-wide privacy and information security compliance programs that provide for full compliance with today’s increasingly complex web of state and federal laws, self-regulatory rules and industry best practices – with particularly extensive experience in building out programs focused on satisfying the CCPA and similar consumer privacy statutes. David conducts privacy audits and assessments of clients’ compliance procedures and practices to help identify and eliminate potential areas of privacy-related legal risk.

    Product Counseling

    Another significant portion of David’s practice involves product counseling – providing guidance to help clients bring new products and services to the market. As product counsel, David works closely with clients’ business and legal teams in the design, development and launch of new data-driven products and services. David also continues his work with clients post-launch, providing ongoing guidance on new legal requirements and related developments to ensure continued legal compliance and risk management for the duration of the product life cycle.

    Security Incident Response

    David has deep experience in security incident response matters – both in terms of assisting clients in incident response and crisis management following data breach events and in counseling clients on concerns regarding potential security incidents. David’s expertise extends to a wide range of security incidents, including cloud data breaches, malware credit card breaches, employee phishing breaches, social media account takeover events, ransomware and inadvertent data disclosure events. David is also experienced in handling all aspects of the incident response process, including post-incident forensic and regulatory investigations, notifications to impacted individuals and privacy regulators, interacting with law enforcement and regulators, and implementing post-incident remediation plans.

    Biometric Privacy, Privacy and Consumer Protection Class Action Defense

    David also possesses a wealth of experience in defending and litigating high-stakes, high-exposure biometric privacy class actions, particularly those brought under the Illinois Biometric Information Privacy Act (BIPA), as well as deep experience in defending other types of privacy and consumer protection class litigation.

    Thought Leader

    David is one of the top legal thought leaders in the areas of biometric privacy, data privacy and security/data protection. He has published nearly 200 articles in distinguished legal publications – including Bloomberg Law, Law360, Legaltech News and Pratt’s Privacy & Cybersecurity Law Report – in the last three years alone. As a result of his prolific publishing activities, David was recognized in JD Supra’s 2021 Readers Choice Awards as a top author in the US in the area of cybersecurity.

    Award Mouse thought multimedia interface book medal screen monitor

    Biometric Privacy Counseling

    • Serve as day-to-day biometric privacy and data privacy counsel for a national online eyewear retailer client.
    • Serve as day-to-day biometric privacy counsel for a national financial institution client.
    • Provide ongoing advice and guidance concerning biometric privacy-related risks to a range of corporate entities, including security service firms, financial institutions and retailers.
    • Advised numerous clients with California operations on applicable biometric privacy compliance obligations, including California-specific compliance requirements.
    • Developed an enterprise-wide biometric privacy compliance program for a national online eyewear retailer client in connection with the rollout of an online virtual try-on tool on a client website.
    • Developed an enterprise-wide biometric privacy compliance program for a national financial institution client in connection with the rollout of a voice biometrics system for use in customer service call centers.

    Product Counseling

    • Completed comprehensive evaluation of a professional NFL franchise client’s software technology utilizing facial recognition; advised the client on biometric privacy risks and obligations, as well as compliance solutions, in advance of software implementation.
    • Completed comprehensive evaluation of a client’s software technology utilizing facial recognition to capture facial characteristic data for the purpose of analyzing store patron demographics and mood; advised the client on biometric privacy risks and obligations, as well as compliance solutions, in advance of software launch.
    • Scoped legal risks/obligations and advised on other potential privacy and biometric privacy implications pertaining to a financial institution client’s rollout of a call center voice biometrics service in advance of service launch.
    • Scoped legal risks/obligations and advised on other potential privacy and biometric privacy implications in connection with an online eyewear retailer’s rollout of an online virtual eyewear try-on tool in advance of product launch.
    • Advised an overseas consumer electronics manufacturer on compliance with US wiretap/two-party consent laws and associated data use restrictions in connection with the client’s anticipated rollout of a real-time mobile translation service for use during audio and video phone calls.

    Privacy, Security and Data Protection Counseling

    • Provide ongoing privacy counseling services to the world’s largest eyewear retailer concerning federal and state wiretap act-related liability exposure risks; assisted the retailer in the implementation of risk mitigation measures.
    • Advised a national online eyewear retail client on wiretap act liability risk mitigation measures; drafted a privacy policy and an online/mobile notice and consent language to address wiretap act compliance and associated liability exposure.
    • Advised a national online eyewear retailer on a range of complex issues pertaining to the Federal Trade Commission (FTC) Contact Lens Rule.
    • Advised an innovative printer technology manufacturer client on satisfying legal obligations in connection with California and Oregon connected devices/Internet of Things (IoT) security laws.
    • Advised the world’s leading provider of rehearsal and recording facilities for artists on compliance with US wiretap/two-party consent laws, as well as strategies for providing notice and obtaining consent from customers in connection with recording of customers’ music sessions.
    • Advised a women’s apparel retailer on potential CAN-SPAM Act liability issues relating to various email marketing campaigns and maintenance of marketing mailing lists.
    • Advised one of the world’s largest soft drink manufacturers on compliance with New York SHIELD Act security and data protection requirements; developed a security and data protection action plan to ensure ongoing, continued compliance with the SHIELD Act.
    • Advised numerous clients on a range of privacy-related issues relating to the COVID-19 pandemic, including compliance with privacy laws pertaining to COVID-19 temperature screening programs, health screening programs, and disclosure of positive employee/visitor test results.
    • Advised one of the largest US non-profit organizations on the scope of permissible data sharing with domestic and foreign third parties; prepared a vendor data sharing agreement to mitigate liability risk.
    • Advised a client on applicable COPPA compliance obligations in connection with the client’s children’s app; assisted in the implementation of mechanisms for securing parental consent through an email registration process; drafted a children’s privacy notice for use by the client.
    • Regularly advise clients on responding to security and data compromise incidents involving phishing, malware, inadvertent data disclosures, social media account takeovers, network intrusions and ransomware attacks, including addressing notification obligations and regulatory inquiries/investigations.

    Privacy Policies and Procedures

    • Developed a HIPAA compliance program for a prominent, national environmental organization, including preparation of required policies, procedures and related privacy documents.
    • Drafted enterprise-wide privacy and information security policies and procedures for a national security firm client.
    • Drafted comprehensive guidance materials and template forms for employers’ COVID-19 employee temperature screening and health screening programs.
    • Drafted an NYDFS Part 500 Cybersecurity Regulation-compliant Cybersecurity Policy and Security Incident Response Plan for a financial institution client; advised the client on recommended practices and controls for satisfying a range of NYDFS Cybersecurity Regulation compliance obligations.
    • Regularly assist a range of clients in a diverse set of industries in proactively managing risk by developing and implementing global privacy compliance and information governance programs, including drafting enterprise-wide privacy, security and data protection policies.
    • Regularly draft a range of online privacy documents, including privacy policies/statements; online terms of use containing consumer arbitration provisions, class action waivers and related clickwrap agreements; consumer privacy, financial incentive and children’s privacy notices; wiretap act-related notice and consent banner language; and cookie banner language.

    Biometric Privacy Class Action Defense

    • Obtained voluntary dismissal of a national online eyewear retailer client in a putative BIPA class action involving the client’s virtual eyewear try-on tool within 48 hours of being retained to defend the matter.
    • Obtained voluntary dismissal of a national online eyewear retailer client in a second putative BIPA class action involving the client’s virtual eyewear try-on tool prior to service being attempted by opposing counsel.
    • Obtained voluntary dismissal of an international cosmetics company client in a putative BIPA class action involving the client’s virtual cosmetics try-on tool through utilization of a persuasive dismissal demand letter educating opposing counsel on the applicability of arbitration defense available to the client – prompting opposing counsel to dismiss the action in its entirety without the need to engage in motion practice.
    • Obtained dispositive dismissal of a national party store chain client in a putative BIPA class action involving allegations of improper collection/possession of employee fingerprints through the use of a biometric timeclock.
    • Facilitated a nuisance value settlement on behalf of a national food producer client in a putative BIPA class action involving allegations of improper collection/possession/disclosure of employee fingerprints through the use of a biometric timeclock through utilization of early dispositive motion practice.
    • Facilitated a nuisance value settlement on behalf of the eighth-largest retailer in the US in a putative BIPA class action relating to purported collection/possession of scans of facial geometry through the client’s virtual cosmetics try-on tool.

    Privacy and Consumer Protection Class Action Defense

    • Obtained dismissal with prejudice of a multinational eyewear brand client in a putative Florida Security of Communications Act (FSCA) class action involving allegations of unlawful interception of private electronic communications through the use of session replay software. The first FSCA lawsuit in the nation to be dismissed with prejudice on Rule 12(b)(6) motion to dismiss.
    • Obtained summary judgment on behalf of a national banking association in a putative FCRA class action involving allegations of inaccurate credit reporting.
    • Obtained dispositive dismissal with prejudice – prior to expiration of a responsive pleading deadline – on behalf of a national banking association in a putative consumer protection class action involving alleged improper overdraft fee practices through utilization of a Rule 11 letter.
    • Facilitated a nuisance value settlement on behalf of a national timeshare management software and financial services client in a putative TCPA class action through utilization of an aggressive litigation strategy and dispositive motion practice.
    • Obtained dispositive dismissal prior to expiration of a responsive pleading deadline on behalf of a national home storage/organization specialty retailer in a putative consumer class action involving alleged improper return/refund practices through utilization of a Rule 11 letter.

    Education

    • Indiana University Maurer School of Law, J.D., 2011
    • University of Cincinnati, B.A., cum laude, 2008

    Admissions

    • Pennsylvania, 2019
    • Ohio, 2011

    Courts

    • U.S. Ct. of App., Sixth Circuit
    • U.S. Dist. Ct., S. Dist. of Ohio
    • U.S. Dist. Ct., N. Dist. of Ohio
    • U.S. Dist. Ct., C. Dist. of Illinois

    Memberships and Affiliations

    • American Bar Association
      • Vice Chair, TIPS Cybersecurity & Data Privacy Committee, 2021-Present
      • Vice Chair, TIPS Technology & New Media Committee, 2021-Present
    • Cincinnati Bar Association
      • Founder/Chair, Cybersecurity & Data Privacy Practice Group , 2020-Present
      • Chair, Membership Services & Development Committee, 2019-Present
      • Member, Awards Committee, 2020-Present
      • Co-Chair, Superhero Run For Kids 5K Planning Committee, 2018-2020
    • Ohio State Bar Association
      • Member, Young Lawyers Section Council, 2018-2021
    • United Way of Greater Cincinnati
      • Member, Emerging Leaders, 2020-Present
    • Top Cybersecurity Author, JD Supra Readers Choice Awards, 2021
    • Ohio Super Lawyers Rising Star, 2017-Present
    • Features Writer, The Daily Swig, 2019-Present
    • Cincinnati Academy of Leadership for Lawyers Participant, Class 22, 2018

    {{insights.date}} {{insights.source}} {{insights.type}}
    {{blog.displayDate}}
    {{blog.title}} {{blog.source}}

    • Quoted, “Apple's Looming In-App Deletion Deadline Adds More Uncertainty to Privacy Regulation Landscape,” Legaltech News, May 28, 2022.
    • Quoted, “Kronos Hack Wage Suits Show Legal Risks of Payroll Outsouring,” Bloomberg Privacy & Data Security Law, March 30, 2022.

    • Author, “Utah Consumer Privacy Act: New legislation adds another wrinkle to the US legal landscape,” The Daily Swig, April 19, 2022.
    • Author, “Biometric Data Collection Takeaways From BNSF Ruling,” Law360, March 22, 2022.

    Award Mouse thought multimedia interface book medal screen monitor