Joseph C Santiesteban



Joe Santiesteban is a trusted cybersecurity lawyer and strategic advisor, who regularly steers clients through data breaches as a partner in crisis management.

He brings significant experience advising companies – from one of the largest telecommunications providers to leading entertainment companies to startups on the cutting-edge of AI and more – on the full cycle of an incident. He also advises companies and executives in connection to regulatory investigations, class actions, enforcement actions, and other disputes that frequently flow from privacy and cybersecurity incidents.

Joe helps clients respond quickly and with integrity to protect their brand, build trust and mitigate legal risk. He is highly skilled at directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations and advising on effective communications strategies. He draws on this experience to help companies proactively prepare for an incident through creative strategies that foster engagement and collaboration between legal, security, communications and leadership teams. This includes building and improving incident response programs through response plans, simulated incidents, threat workshops, and training. In addition, Joe assists clients in practically evaluating the legal risk of security decisions in a variety of transactions and across the product lifecycle.

He also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence. This includes helping companies maximize their security offerings by navigating the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Federal Wiretap Act, as well as state law analogs.

Joe serves on the Orrick’s Finance and Audit and Pro Bono Committees. A leader and advocate for diversity and inclusion initiatives, Joe is the co-head of Orrick’s Latinx Inclusion Network and was selected as a 2024 Rising Star by the Minority Corporate Counsel Association (MCCA). He was also named to Lawdragon's 2024 500 X Next Generation Rising Stars List and a member of the Washington Latino Bar Association and the Hispanic National Bar Association.

  • Incident Response

    • Advised cybersecurity company with all aspects of a complex network intrusion with product security implications.
    • Represented multinational telecommunications company regarding sophisticated attack leveraging zero-day vulnerabilities in cloud infrastructure. 
    • Advised multiple companies in cybersecurity, consumer goods, and telecommunications regarding incidents with potential nation-state implications. 
    • Advised online media company regarding a potential security involving more than 200 million records. 
    • Represented travel and leisure company in response to ransomware event with global implications.
    • Advised solar and wind farm operator regarding system-wide ransomware attack with IT and OT implications.  
    • Advised media company regarding forensic investigation of cyber breach and potential international implications.
    • Advised technology company regarding potential notification obligations and third-party claims stemming theft of millions of dollars during cyber incident.

    Counseling and Transactions

    • Advised multiple large sophisticated software and hardware developers regarding the response to identified zero-day vulnerabilities. 
    • Regularly assists clients to efficiently develop incident response programs with clear roles and responsibilities, efficient escalations and decision-making, and a risk-tailored response.
    • Regularly conducts incident response assessments, often in conjunction with forensic teams, to streamline incident response and reduce legal risk. 
    • Regularly advises regarding cybersecurity risks in financings, mergers, and securities transactions.
    • Directed cybersecurity assessment and enhancement planning for international retailer.
    • Performed privacy, security and digital needs assessment for consumer products company with operations in more than 100 countries around the globe.
    • Managed a team providing advice to a U.S.-based technology company on privacy and security compliance relevant to planned expansion in Europe, Middle East, Africa and Asia.
    • Developed a global privacy program for a major food products company operating in more than 40 countries around the globe.
    Strategic Cyber Advice:
    • Advised multiple security hardware and software developers regarding legal implications of offensive defense tactics and threat intelligence gathering. 
    • Advised credential verification service regarding credential gathering and sales strategy. 
    • Advised security risk assessment firm regarding CFAA and state analog implications

    Litigation and Enforcement

    • LabMD. Represented LabMD in its successful petition to the U.S. Court of Appeals resulting in the first-ever court decision overturning an FTC cybersecurity action.
    • Hilton Worldwide. Represented Hilton in first-of-its kind trial in claim against payment card processor and acquirer stemming from data security incident. 
    • Supervalu Inc. Prevailed on data breach class action in district court and Eighth Circuit.  Target. Advised Target Corp. in responding to card brand inquiries and defending card issuer litigation stemming from the data security breach that Target announced in December 2013.
    • Landry's. Advised Landry's regarding its claims against two major card brands arising out of their allegedly unlawful conduct in imposing substantial assessments related to a data security breach suffered by Landry's.
    • Arby’s Restaurant Group. Advised Arby's regarding defense against all third-party claims arising from a payment card incident announced in February 2017.
    • Genesco. Advised Genesco on how to address its various legal obligations and exposures resulting from a substantial data security breach that Genesco discovered in late 2010.