As far as legalities are concerned, in the world of information/data security, as long as the company was determined and had made a legitimate, earnest effort to keep it's data protected (up to date patches, decent system security checks/processes, etc) - then the company can't be blamed for negligence. Hacks happen all of the time unfortunately, and it's impossible to stop all of them.
You're off the mark quite a bit. Retailers have to follow a litany of different rules stated by the Payment Card Industry. There have been many versions of the rules that retailers have to follow. These versions of the rule sets are often referred to as "PCI 3" or "PCI 3.2". This isn't a loose sort of suggestion. This is a set of standards that the credit card processors and credit card brands set forth that merchants MUST meet in order to process credit cards at their location. The rules list is long and quite detailed. To the point where if you process credit cards, your server must be in a locked office with a video camera pointed at it. These rules are taken pretty seriously.
That said, enforcement of these rules has been pretty lax. The credit card processors say that retailers need to follow the rules but they never actually pull the plug on retailer's and actually stop them from processing. This almost never happens.
What we've ended up with over the years is massive swaths of businesses out there that haven't kept up with the security protocols to any degree. Security costs money. Having a company come in and set up firewalls and apply security patches and upgrade software costs tens of thousands of dollars and up until this point businesses just don't do the upgrades. Business owners are notoriously cheap and really don't give a hoot about the security of their customer's credit card information. This is plain and simple.
Now however with the switch over to chip based transactions, the credit card companies are putting the screws to retailers to upgrade their systems and hundreds of thousands of businesses across the country are scrambling to upgrade their systems to accept chip payments. They're only doing this because the credit card processors are forcing the liability of fraudulent transactions to the merchant. If someone comes into a store and swipes their card for 500 bucks, then calls the bank and says they didn't do that transaction, the credit card companies are literally taking that money from the retailer. If the card was swiped instead of using chip, the merchant is now responsible for that charge back. Previously the card brands ate the loss.
Since they started doing this, more businesses started paying attention to their security. Not because they give a crap about your card security, it's because they care about their bottom line.
The point that I was making is that there have been tons and tons and tons of breaches. It's not like these companies are unaware of what they need to do to secure their systems. Any big company has probably had quotes for security upgrades given to them yearly by competent point of sale companies and simply refused to go through with the upgrades. For example, prior to being hacked, Home Depot executives were presented with their woeful security flaws and prompted to upgrade their network security. The response from the executives was "We sell hammers". Seriously. Home Depot literally just didn't care.
At a certain point you have to look at these businesses and business owners. Typically a business decision has been made to not spend the money on security. I feel like maybe the fingers should point to the source of the incompetency.
Source: Me. I've worked in the pos industry for 10 years.