An interview with Lily Li, Principal of Metaverse Law. 

Dave Oates: Hey, thanks for joining us for another edition of the Public Relations Security video cast where we talk to experts in all facets of crisis events and crisis management. I’m really privileged to have Lily Li of Metaverse Law with us today from Orange County. Lily, thanks so much for being here, I appreciate it.

Lily Li: Thanks for having me again.

Dave Oates: Truly a pleasure. Tell us a little bit about that because I was really interested. Your law practice is really specific and really niche but vital to a whole wide range of organizations. Tell us about it.

Lily Li: Sure. Metaverse Law focuses exclusively on data privacy and cybersecurity, so I help businesses with their compliance obligations under these new privacy and cybersecurity rules, bring in third parties to assess the security systems and help them deal within an instant.

Dave Oates: Type of organizations that would be in need of your service. Do you have any sort of size or scale of operations or even industries or can it be a wide range of companies and businesses?

Lily Li: Right now it’s a wide range of businesses. I work from startups all the way to multi-national companies. And so as long as they’re collecting sensitive data, that could be customer data, customer lists, financial data, healthcare data, information in the Cloud, a lot of them are covered by these new laws.

Dave Oates: I was going to say the new state laws and I’m sure some federal statutes play in, in that.

Lily Li: Right.

Dave Oates: I guess for the business owner or the executive out there right now, what are kind of the things that they should be considering that often they overlook?

Lily Li: I mean, right now, a lot of businesses don’t realize how much data they’re collecting. They’re not talking to their marketing teams, to their technology teams, and so they have legacy systems with customer data, they have Cloud systems that their employees are using and all of these are potentially vulnerable to attacks from outside forces and inside forces. One of the things I really encourage business owners to do is really take a data inventory, a data map of what they have in their systems.

Dave Oates: Let’s talk worst-case scenario. Something happens adversely, it affects the disclosures of private information, company confidential information, something that the organization needs to publicly disclose or certainly take action upon. What are the kind of steps that they need to take in those?

Lily Li: Well, there are a lot of things that they should consider right away. One of them is to consult with outside counsel to see what their actual notification obligations are and whether or not they should contact law enforcement to report a crime. Another thing is to contact their insurance provider to see if there’s coverage for the event. And then last but not least, talk to a PR company about crisis communications because one of the biggest and worst things that can happen to your company is that you lose your reputation.

Dave Oates: Yeah. It happens a lot where you see companies delay their disclosure of that to the public and it really compromises their trust, but where do you fit into that? Are you oftentimes the quarterback in that situation? Are you working alongside? Because you’re, in many cases, I think, the linchpin for when that happens for organizations. Where do you fit in?

Lily Li: As an attorney, one of the helpful things I can provide for companies is guidance on how to navigate the laws, and attorney/client privilege is helpful there. In order to review drafts of crisis communications and figure out a document, intention, strategy and communication strategy internally before going to the outside world.

Dave Oates: Well, and that sort of leads to my final question to you. Is the best time to talk to you about this is before an incident occurs and sort of their disaster planning operational planning. Do I have that right?

Lily Li: That’s right. If you can develop an incident response plan before a breach, it’s going to be so much better. You’re going to reduce the cost of mitigation, your employees will know what to do and as you all know, if you have a PR strategy ahead of time, you can usually get ahead of the narrative.

Dave Oates: Well, how likely is it that an organization is going to have an incident where they’re going to at least have to be prepared to respond, if not actually respond? I mean, it seems to me that it’s so pervasive. It’s an essential business component.

Lily Li: That’s right. Unfortunately, dealing with cyberattacks is part of the cost of doing business now and a recent report issued by the IBM Ponemon Institute, they found that you’re more likely to suffer a cyber breach than you are of catching the flu.

Dave Oates: Really? So anybody who didn’t get their flu shot is not going to get the flu. You’re more likely to actually have a cyber incident than even getting the flu. Man, that puts things in great perspective. Lily, I think people are going to need to get ahold of you at some point that hopefully for preparation purposes and not an actual event, give us your contact information.

Lily Li: Yeah, feel free to reach me at, and you can also reach me by phone at (949) 329-3460.

Dave Oates: Fantastic. Lily, thanks so much for your time. I appreciate it. I know how busy you are. Thanks for … This was great. And thanks for watching. We’ll see you in the next one.