UniCourt Influencer Q&A with Lily Li of Metaverse Law
on Topics: Future Law | Interviews | Legal Tech
Hailing from Southern California, attorney, Founder, and legal tech innovator Lily Li is making strides in the cybersecurity space through her practice, Metaverse Law.
After recognizing the burgeoning need for legal services focused solely on data privacy and protection, Lily launched her practice to support companies in the high-tech, digital marketing, healthcare, and e-commerce industries with their privacy and data security obligations. Emerging technologies and new data protection laws constantly increase the complexity of compliance obligations, but Metaverse offers practical solutions to help online businesses keep sensitive client data safe.
We were fortunate to speak with Lily about her career path, her motivation behind starting Metaverse, and her experience working alongside the most influential innovators in legal technology.
UniCourt: Tell us your story. What is your background, and what initially sparked your interest in data privacy and cybersecurity?
Lily Li: I am the owner of Metaverse Law and a Certified Information Privacy Professional for the United States and Europe. My interest in data privacy and cybersecurity stems from being a science fiction junkie at heart. Long before the Facebook-Cambridge Analytica scandal, authors like Ray Bradbury and William Gibson warned us of the privacy implications of near-constant media and a hyper-connected society. When the real world started to look more like science fiction, I wanted to work in a space where I could interact with the makers and shapers of modern technology.
UC: Tell us more about your practice, Metaverse, and how, specifically, it helps startup companies navigate international data privacy regulations.
Li: Metaverse Law focuses exclusively on data privacy and cybersecurity law and helps startups in three different ways. First, I help businesses assess their risks and coverage under the GDPR, CCPA, HIPAA, and other local and international regulations. Second, I assist companies in developing privacy and cybersecurity programs that address these regulatory and litigation risks. Third and finally, in the event of a breach, I work with cybersecurity and forensic vendors under the attorney umbrella and help startups assess their notification requirements. This space is changing almost every day and so I try to help my clients follow the most practical steps to stay ahead of the curve.
UC: What need or gap in the legal field do you believe that Metaverse addresses?
Li: Most law firms have a “data privacy” or “cybersecurity” practice, but if you look closely at the attorneys in the practice, they are being shoehorned in from the firms’ litigation, intellectual property, or corporate departments. While some expertise in these related fields is useful, the data privacy and cybersecurity world is growing at an astronomical pace. Data privacy and cybersecurity attorneys need to dedicate the majority of their time to this practice area to truly protect their clients.
In addition, data privacy and cybersecurity law does not operate in isolation. Businesses need lawyers who are comfortable working with people smarter than they are – i.e., CISO, CIOs, forensic analysts, and vendors who understand the ecosystem of technology and cloud providers that form the backbone of most companies.
UC: In your opinion, is there a tension between complying with privacy laws like the GDPR and promoting open access to court records? Can you describe that tension and address how companies can navigate it?
Li: There is some tension between GDPR and the public’s right of access to court records. In a recent decision by the UK High Court under the GDPR’s predecessor, the court analyzed whether two different businessmen had the right to erase search results concerning their former convictions. The court eventually ordered Google to remove one set of search results, finding that the conviction was out of date and irrelevant – and that the man in question showed “genuine remorse” over his crime. The court sided with Google for the other case, finding that the conviction was “essentially public in its character” and that the man “show[ed] no remorse.”
The court’s analysis is troublesome, however. Unlike a court of law, tech companies do not have the same ability to “judge” the severity of a crime, let alone an individual’s level of “remorse” for each deletion request. This is why I favor having the courts decide whether particular court records should be sealed. Absent court orders sealing particular records or some other overwhelming privacy interest (e.g., records concerning minors), I am wholeheartedly in support of keeping public court records public and taking advantage of our First Amendment rights in the United States.
UC: What can online businesses do to make themselves less vulnerable to risks? Generally speaking, what steps can they take to avoid running afoul of privacy laws?
Li: All online businesses should engage in a rudimentary data mapping exercise, draft an online privacy policy, draft written security plans, and develop an incident response plan. What you say to the world in your privacy policy must match what you actually do with customer data. Data mapping helps to accomplish this by building an inventory of all the types of personal information the business collects. The process of drafting written security and incident response plans also helps online businesses identify vulnerabilities in their tech stack and reduce the risks of a breach.
Sometimes, I have clients that do not want to engage in data mapping, since they are a small internet company and think they know how much personal data they collect and share online. When I ask them about the platforms and remarketing tools that they use, like Mailchimp, AWS, or Facebook Pixel, they start to understand the complexity of their data environment. This complexity may present issues beyond the privacy policy. For example, most small online businesses fail to review their contracts with SAAS and other online providers to see if they are actually protecting their customer data, and don’t realize how much of the risk has been transferred to their shoulders.
UC: How do you think that the continued advancement in legal tech will facilitate increased access to justice?
Li: Legal tech will make legal services more available and affordable to the public. Across the board, we have seen an increase in the use of machine learning technologies to conduct legal research or document review, reducing the expense of attorney hours. In addition, legal tech can help clients understand the nature of their issues before contacting an attorney. The legal field is becoming more and more specialized, like any other area of the economy, and clients need to understand whether they need a family lawyer, criminal lawyer, or constitutional lawyer to protect their rights.
As a data privacy and cybersecurity lawyer, I am also happy to see more attorneys use secure platforms for their client management and document sharing services. Though legal tech cannot guarantee 100% safety, smaller firms now have the option of leveraging legal tech to protect their systems, which helps protect client information in the long run.
UC: What are some of your favorite sayings?
Li: At my alma mater, this saying is inscribed on one of two pillars framing a staircase: “Climb high, climb far, your goal the sky, your aim the star.”
UC: As the Founder of a law firm, what would you say to other women interested in starting their own law firms or legal tech companies?
Li: If you have identified a market need, go for it! With the increasing pace of technology and product cycles, getting to market quickly is essential for any business, especially for law firms or legal tech companies with innovative practices. And now, more than ever, businesses are looking to law firms and vendors with women and minority owners.
My only caveat is this: Make sure you have identified a market niche that you are passionate about, since you will be working on it full time (or more than full time). Lawyers are notorious for not knowing what we want to do in life (that’s why many of us went to law school)!
Within that market niche, do as much research as possible on where your clients’ pain points will be. Then, when you do go to market, you can feel the joy of addressing your clients’ concerns, rather than pushing services or a product on an unwilling audience.
UC: What are your professional goals for the coming year? What projects are you working on? Are there any upcoming events or conferences in the legal tech space we should be aware of?
Li: My professional goals this year are to expand my team. With the California Consumer Privacy Act set to take effect on January 1, 2020, business needs and risks will increase dramatically across the United States and internationally. In addition, I’ve been studying computer forensics with an eye to expanding my network of trustworthy experts that I can deploy to work with small to mid-sized companies.
In addition, anyone in the Southern California area should check out the LA Cyber Lab, a recently launched public and private initiative to prevent cyber attacks.
Offering Practical Solutions that Increase Access to Justice
Technology will continue to make legal services more available and affordable to the public, and Lily Li’s practice is no exception. When attorneys use secure platforms for client management services, they can more easily offer clients a new and unforeseen level of safety and protection. This enables them to not only fulfill their obligations as attorneys and counselors at law, but to also ensure their clients that they can turn over their most sensitive legal and personal issues without fear of a breach.
As changes in privacy law continue to balloon at a breakneck pace with the CCPA, GDPR, and new data privacy regimes in states like Illinois, New York, and Washington, we look forward to the great work of Metaverse Law to keep us all apprised of and prepared for shifts in the law.