It's not clear who will pay for potential fraudulent charges on the card numbers obtained by hackers, which are currently for sale on the black market. Typically, the banks that issue credit cards like Chase and Citi are reimbursed by merchants—via credit card companies like Visa and MasterCard—where a fraudulent purchase is made online or over the phone. But banks themselves are often on the hook if the purchase is made in person at a store.
What's less clear is if banks will be reimbursed for other costs, like replacing cards or extra branch hours. That's where lawsuits likely come in.
"The banks are definitely going to want to get their customer service cost back," said Avivah Litan of research firm Gartner. She said banks may sue individually or, more likely, go through Visa and MasterCard to reach a settlement with Target.
The central issue will be Target's potential negligence. Deciding to what extent the company is responsible will involve teams of forensic investigators and lawyers. Target will likely say it had the best security system possible and was compliant with industry standards, but that the hackers were just too sophisticated. Banks and credit card companies will likely argue that Target's data security was insufficient.
While merchants often pay for security breaches where they are at fault, "the mere fact that you had a breach doesn't mean you are necessarily liable," said attorney Sabett.
Target could also be fined for violations of credit card association rules if the data breach could have been prevented, according to experts.
(Read more: Weak US card security made Target a juicy target)
Chase declined to comment on any potential litigation or the costs associated with the Target breach. "We are working to protect the accounts of our customers–that's our focus right now," said bank spokeswoman Patricia Wexler.
Bank of America also wouldn't comment on Target litigation. It did reiterate that its customers don't have to pay for fraudulent charges.
A spokesperson for Citi declined to comment on suing. "We are focused on taking steps to protect our customers," said Emily Collins.
Besides banks, Target could face legal actions from consumers and state officials. But it's unclear if they will be successful.
(Read more: Target data breach spurring lawsuits, investigations)
Three class-action lawsuits have already been filed and government lawyers from Connecticut, Massachusetts, New York and South Dakota have asked Target for information about the breach, according to
Target did not comment on potential liability. "I can assure you that our guests will not be held financially responsible for any credit or debit card fraud," said spokeswoman Katie Boylan.
(Read more: Target gives 10% discount to shoppers after data breach)