Does a Retailers Requirements to Protect cardholder data go beyond PCI?

Last week the US District Court in Maine threw out most of the claims in the class action lawsuits against Hannaford over their data breach. What they did not throw out was a claim that Hannaford had an implied duty to take reasonable measures to protect consumer data. What this means is in addition to several state laws that require protection of consumer data, retailers may become subject to an implied contract that they must protect the consumer data that they gather in the course of doing business. Other retailers have been assessed penalties for unfair practices in protecting consumer data by the Federal Trade Commission. While actual consumer damages in these breaches have been low because of the issuers card protection, I wonder if this opens the door for easier recovery of costs from merchants by the impacted financial institutions.