I’ll let the judge decide that.
As it stands, banks, etc.. are responsible for providing some level of adequate protection of customer data.
As such, if user data is compromised, the entity can be held responsible if they did not take adequate precautions.
Like most class action type suits, even without absolute proof of wrongdoing, settlements are reached.
And, then you have the question of proprietary ownership.
You own the box but MS owns the software. Sorry Charlie.
Meh...even the Linux Project owns their OS/software systems; we use them according to their operational agreement.