Joseph C Santiesteban

Managing Associate


Joseph is a Managing Associate with experience in a variety of privacy and cybersecurity matters across diverse business sectors. Joseph regularly advises clients regarding incident response, as well as litigation and government enforcement that commonly arises from privacy and cybersecurity incidents. He also uses this experience to provide clients practical advice regarding their data innovation and incident preparedness strategies.  

Joseph regularly advises companies regarding privacy and cybersecurity incident response, including directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations, and advising regarding communications strategies. Joseph also advises clients regarding regulatory investigations, class actions, payment card brand claims, and contract disputes that frequently flow from the announcement of privacy and cybersecurity incidents.

Joseph also uses his experience to help clients leverage the value of data and digital technologies in ways that not only meet compliance obligations, but also support innovation, deliver value to the business, meet security needs and solidify brand and consumer trust. This includes guiding clients through the complex patchwork of federal privacy and cybersecurity laws and regulations, including the FTC Act, GLBA, COPPA, HIPAA, TCPA, CAN-SPAM, and ECPA, state privacy and cybersecurity laws, including the California’s Consumer Privacy Act, international laws such as GDPR, and self-regulatory frameworks, including those covering online advertising and payment card processing.

Joseph is admitted in California and Massachusetts; he is not admitted in Washington.  

  • Joseph also maintains an active pro bono practice, which has included defense of a preliminary injunction in a disability rights housing case to the Massachusetts Supreme Judicial Court, bringing and reaching a successful resolution of habitability and affordability claims on behalf of low-income tenants in San Francisco, and a successful appeal of a social security disability claim. 

  • Litigation and Enforcement

    • Landry's. Advise Landry's regarding its claims against two major card brands arising out of their allegedly unlawful conduct in imposing substantial assessments related to a data security breach suffered by Landry's.
    • LabMD. Represented LabMD in its successful petition to the U.S. Court of Appeals resulting in the first-ever court decision overturning an FTC cybersecurity action.
    • Arby’s Restaurant Group. Advises Arby's regarding defense against all third-party claims arising from a payment card incident announced in February 2017.
    • Hilton Worldwide. Advised Hilton regarding card brand claims stemming from two separate data security incidents that affected certain Hilton-branded hotels around the world in 2014 and 2015, and also in litigation against Hilton's former payment-card processor in connection with a commercial dispute relating to the data security incidents.
    • Supervalu Inc. Advises Supervalu regarding defense of consumer class action claims stemming from the data security breach that Supervalu announced in August 2014.
    • Target. Advised Target Corp. in responding to card brand inquiries and defending card issuer litigation stemming from the data security breach that Target announced in December 2013.
    • Genesco. Advised Genesco on how to address its various legal obligations and exposures resulting from a substantial data security breach that Genesco discovered in late 2010.

    Incident Response

    • Advised cybersecurity company with all aspects of a complex network intrusion with product security implications.
    • Advised media company regarding forensic investigation of cyber breach and potential international implications.
    • Advised technology company regarding potential notification obligations and third-party claims stemming theft of millions of dollars during cyber incident.
    • Advised asset manager regarding network-wide ransomware attack.

    Counseling and Compliance

    • Advised multiple life science companies regarding GDPR preparedness.
    • Directed cybersecurity assessment and enhancement planning for international retailer.
    • Performed privacy, security and digital needs assessment for consumer products company with operations in more than 100 countries around the globe.
    • Managed a team providing advice to a U.S.-based technology company on privacy and security compliance relevant to planned expansion in Europe, Middle East, Africa and Asia.
    • Developed a global privacy program for a major food products company operating in more than 40 countries around the globe.