Joseph C Santiesteban



Joseph Santiesteban is a trusted cyber law advisor. He regularly advises clients regarding incident response, as well as litigation and government enforcement that commonly arise from privacy and cybersecurity incidents. He uses this experience to offer clients practical advice regarding their data innovation and incident preparedness strategies.

Joseph regularly advises companies regarding privacy and cybersecurity incident response, including directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations, and advising regarding communications strategies. He also advises clients regarding regulatory investigations, class actions, and contract disputes that frequently flow from privacy and cybersecurity incidents.

Joseph uses his experience to help clients leverage the value of data and digital technologies in ways that not only meet compliance obligations, but also support innovation, deliver value to the business, meet security needs, and solidify brand and consumer trust. This includes guiding clients through the complexity of federal privacy and cybersecurity laws and regulations, including the Electronic Communications Privacy Act (ECPA), the Federal Trade Commission Act (FTC Act), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA), state privacy and cybersecurity laws, including the California’s Consumer Privacy Act (CCPA), international laws such as the European Union General Data Protection Regulation (GDPR), and self-regulatory frameworks, including those covering online advertising and payment card processing. It also includes assisting clients to practically evaluate legal risk of security decisions in a variety of transactions and across the product lifecycle.

He also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence. This includes helping companies maximize their security offerings by navigating the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Federal Wiretap Act, as well as state law analogs.


  • Incident Response

    • Advised cybersecurity company with all aspects of a complex network intrusion with product security implications.
    • Represented multinational telecommunications company regarding sophisticated attack leveraging zero-day vulnerabilities in cloud infrastructure. 
    • Advised multiple companies in cybersecurity, consumer goods, and telecommunications regarding incidents with potential nation-state implications. 
    • Advised online media company regarding a potential security involving more than 200 million records. 
    • Represented travel and leisure company in response to ransomware event with global implications.
    • Advised solar and wind farm operator regarding system-wide ransomware attack with IT and OT implications.  
    • Advised media company regarding forensic investigation of cyber breach and potential international implications.
    • Advised technology company regarding potential notification obligations and third-party claims stemming theft of millions of dollars during cyber incident.

    Counseling and Transactions

    • Advised multiple large sophisticated software and hardware developers regarding the response to identified zero-day vulnerabilities. 
    • Regularly assists clients to efficiently develop incident response programs with clear roles and responsibilities, efficient escalations and decision-making, and a risk-tailored response.
    • Regularly conducts incident response assessments, often in conjunction with forensic teams, to streamline incident response and reduce legal risk. 
    • Regularly advises regarding cybersecurity risks in financings, mergers, and securities transactions.
    • Directed cybersecurity assessment and enhancement planning for international retailer.
    • Performed privacy, security and digital needs assessment for consumer products company with operations in more than 100 countries around the globe.
    • Managed a team providing advice to a U.S.-based technology company on privacy and security compliance relevant to planned expansion in Europe, Middle East, Africa and Asia.
    • Developed a global privacy program for a major food products company operating in more than 40 countries around the globe.

    Strategic Cyber Advice:
    • Advised multiple security hardware and software developers regarding legal implications of offensive defense tactics and threat intelligence gathering. 
    • Advised credential verification service regarding credential gathering and sales strategy. 
    • Advised security risk assessment firm regarding CFAA and state analog implications

    Litigation and Enforcement

    • LabMD. Represented LabMD in its successful petition to the U.S. Court of Appeals resulting in the first-ever court decision overturning an FTC cybersecurity action.
    • Hilton Worldwide. Represented Hilton in first-of-its kind trial in claim against payment card processor and acquirer stemming from data security incident. 
    • Supervalu Inc. Prevailed on data breach class action in district court and Eighth Circuit.  Target. Advised Target Corp. in responding to card brand inquiries and defending card issuer litigation stemming from the data security breach that Target announced in December 2013.
    • Landry's. Advised Landry's regarding its claims against two major card brands arising out of their allegedly unlawful conduct in imposing substantial assessments related to a data security breach suffered by Landry's.
    • Arby’s Restaurant Group. Advised Arby's regarding defense against all third-party claims arising from a payment card incident announced in February 2017.
    • Genesco. Advised Genesco on how to address its various legal obligations and exposures resulting from a substantial data security breach that Genesco discovered in late 2010.