“Given the magnitude of the breach and what we’ve seen in the past, banks are likely to bring action,” said information security expert Randy Sabett, an attorney at ZwillGen.
Target said on Dec. 19 that approximately 40 million credit and debit card accounts “may have been impacted” after being used to pay for purchases at its U.S. stores between Nov. 27 and Dec. 15. Chase and Citi moved over the weekend to impose limits on cards that were affected; Chase even reopened a third of its branches Sunday to help issue new cards and allow for large withdrawals.
(Read more: JPMorgan limits debit cards used at Target)
Banks have sued merchants following large security breaches in the past. A 2007 hack of accounts at T.J. Maxx cost parent TJX Companies a reported $256 million in settlements with banks, credit card companies and others. And a 2009 breach at Heartland Payment Systems eventually cost the company $140 million, with more litigation ongoing.
It’s not clear who will pay for potential fraudulent charges on the card numbers obtained by hackers, which are currently for sale on the black market. Typically, the banks that issue credit cards like Chase and Citi are reimbursed by merchants—via credit card companies like Visa and MasterCard—where a fraudulent purchase is made online or over the phone. But banks themselves are often on the hook if the purchase is made in person at a store.
What’s less clear is if banks will be reimbursed for other costs, like replacing cards or extra branch hours. That’s where lawsuits likely come in.
“The banks are definitely going to want to get their customer service cost back,” said Avivah Litan of research firm Gartner. She said banks may sue individually or, more likely, go through Visa and MasterCard to reach a settlement with Target.
The central issue will be Target’s potential negligence. Deciding to what extent the company is responsible will involve teams of forensic investigators and lawyers. Target will likely say it had the best security system possible and was compliant with industry standards, but that the hackers were just too sophisticated. Banks and credit card companies will likely argue that Target’s data security was insufficient.
While merchants often pay for security breaches where they are at fault, “the mere fact that you had a breach doesn’t mean you are necessarily liable,” said attorney Sabett.
Target could also be fined for violations of credit card association rules if the data breach could have been prevented, according to experts.
(Read more: Weak US card security made Target a juicy target)
Chase declined to comment on any potential litigation or the costs associated with the Target breach. “We are working to protect the accounts of our customers–that’s our focus right now,” said bank spokeswoman Patricia Wexler.
Bank of America also wouldn’t comment on Target litigation. It did reiterate that its customers don’t have to pay for fraudulent charges.
A spokesperson for Citi didn’t immediately respond to a request.
Besides banks, Target could face legal actions from consumers and state officials. But it’s unclear if they will be successful.
(Read more: Target data breach spurring lawsuits, investigations)
Three class-action lawsuits have already been filed and government lawyers from Connecticut, Massachusetts, New York and South Dakota have asked Target for information about the breach, according to USA Today.
Target did not comment on potential liability. “I can assure you that our guests will not be held financially responsible for any credit or debit card fraud,” said spokeswoman Katie Boylan.
—By CNBC’s Lawrence Delevingne. Follow him on Twitter @ldelevingne.