1. Home
  2. People
  3. Santiesteban, Joseph C

Joseph C Santiesteban

Partner

Seattle

Joe Santiesteban co-leads Orrick's global Cyber, Privacy & Data Innovation group. He is a trusted cybersecurity lawyer and strategic advisor who regularly steers clients through high-stakes cyber incidents, regulatory scrutiny and related litigation.

Joe regularly guides companies through the full lifecycle of a cybersecurity incident, including incident assessment, forensic investigation management, legal risk analysis, breach notification obligations, crisis communications, regulatory inquiries, class actions, enforcement matters, and other disputes arising from privacy and security events. He is known for helping clients respond quickly, thoughtfully and with integrity to protect their brands, maintain stakeholder trust and reduce legal and business risk. He advises companies across a range of industries, including technology, financial, entertainment, telecommunications and healthcare, from major enterprise companies to innovative startups.

A significant part of Joe’s practice focuses on data breach response, incident response preparedness, cybersecurity governance and privacy-related crisis management. He works closely with legal, security, communications and executive leadership teams to direct incident investigations, assess potential claims and defenses, evaluate notification requirements and develop practical response strategies. He also helps organizations prepare for incidents before they happen by building and improving incident response programs, response plans, tabletop exercises, threat workshops and training programs.

In addition to incident response work, Joe advises clients on the cybersecurity and privacy implications of security decisions across the product lifecycle and in complex transactions. He also counsels cybersecurity and threat intelligence companies, including businesses developing advanced technologies in cyber defense, incident response and security operations. His work includes helping clients navigate legal issues under the Computer Fraud and Abuse Act (CFAA), Electronic Communications Privacy Act (ECPA), Federal Wiretap Act and analogous state laws.

Joe serves on Orrick’s Finance and Audit and Pro Bono Committees. A leader and advocate for diversity and inclusion initiatives, Joe is the co-head of Orrick’s Latinx Inclusion Network and was selected as a 2024 Rising Star by the Minority Corporate Counsel Association (MCCA). He was also named to Lawdragon's 2024 500 X Next Generation Rising Stars List and a Rising Star by the Minority Corporate Counsel Association (MCCA). He is a member of the Washington Latino Bar Association and the Hispanic National Bar Association.

  • Incident Response

    • Advised cybersecurity company with all aspects of a complex network intrusion with product security implications.
    • Represented multinational telecommunications company regarding sophisticated attack leveraging zero-day vulnerabilities in cloud infrastructure. 
    • Advised multiple companies in cybersecurity, consumer goods, and telecommunications regarding incidents with potential nation-state implications. 
    • Advised online media company regarding a potential security involving more than 200 million records. 
    • Represented travel and leisure company in response to ransomware event with global implications.
    • Advised solar and wind farm operator regarding system-wide ransomware attack with IT and OT implications.  
    • Advised media company regarding forensic investigation of cyber breach and potential international implications.
    • Advised technology company regarding potential notification obligations and third-party claims stemming theft of millions of dollars during cyber incident.

    Counseling and Transactions

    • Advised multiple large sophisticated software and hardware developers regarding the response to identified zero-day vulnerabilities. 
    • Regularly assists clients to efficiently develop incident response programs with clear roles and responsibilities, efficient escalations and decision-making, and a risk-tailored response.
    • Regularly conducts incident response assessments, often in conjunction with forensic teams, to streamline incident response and reduce legal risk. 
    • Regularly advises regarding cybersecurity risks in financings, mergers, and securities transactions.
    • Directed cybersecurity assessment and enhancement planning for international retailer.
    • Performed privacy, security and digital needs assessment for consumer products company with operations in more than 100 countries around the globe.
    • Managed a team providing advice to a U.S.-based technology company on privacy and security compliance relevant to planned expansion in Europe, Middle East, Africa and Asia.
    • Developed a global privacy program for a major food products company operating in more than 40 countries around the globe.
    Strategic Cyber Advice:
    • Advised multiple security hardware and software developers regarding legal implications of offensive defense tactics and threat intelligence gathering. 
    • Advised credential verification service regarding credential gathering and sales strategy. 
    • Advised security risk assessment firm regarding CFAA and state analog implications

    Litigation and Enforcement

    • MOVEit Breaches. Defending CalPERS, Johns Hopkins University, TIAA, and Performance Health Technology Ltd. in class action litigation arising from hackers' attack on the MOVEit file transfer platform.
    • Represented former CISO in government procurement and false statements investigation
    • LabMD. Represented LabMD in its successful petition to the U.S. Court of Appeals resulting in the first-ever court decision overturning an FTC cybersecurity action.
    • Hilton Worldwide. Represented Hilton in first-of-its kind trial in claim against payment card processor and acquirer stemming from data security incident. 
    • Supervalu Inc. Prevailed on data breach class action in district court and Eighth Circuit.  Target. Advised Target Corp. in responding to card brand inquiries and defending card issuer litigation stemming from the data security breach that Target announced in December 2013.
    • Landry's. Advised Landry's regarding its claims against two major card brands arising out of their allegedly unlawful conduct in imposing substantial assessments related to a data security breach suffered by Landry's.
    • Arby’s Restaurant Group. Advised Arby's regarding defense against all third-party claims arising from a payment card incident announced in February 2017.
    • Genesco. Advised Genesco on how to address its various legal obligations and exposures resulting from a substantial data security breach that Genesco discovered in late 2010.

Insights

Events

News