"Given the magnitude of the breach and what we've seen in the past, banks are likely to bring action," said information security expert Randy Sabett, an attorney at ZwillGen.
Target said on Dec. 19 that approximately 40 million credit and debit card accounts "may have been impacted" after being used to pay for purchases at its U.S. stores between Nov. 27 and Dec. 15. Chase and Citi moved over the weekend to monitor or impose limits on cards that were affected; Chase even reopened a third of its branches Sunday to help issue new cards and allow for large withdrawals.
(Read more: JPMorgan limits debit cards used at Target)
Banks have sued merchants following large security breaches in the past. A 2007 hack of accounts at T.J. Maxx cost parent TJX Companies a reported $256 million in settlements with banks, credit card companies and others. And a 2009 breach at Heartland Payment Systems eventually cost the company $140 million, with more litigation ongoing.