I assume if that ever happens, someone will register https://haveibeenpwnedbyhaveibeenpwned.com. It'll be the top post of HN for a couple of says while everyone argues in the comments about how the state of online security is "fundamentally broken" while someone asks if they can sue. Then we'll all forget and move on.
I think there was an earlier blog post from Troy sometime ago describing that HIBP never stores unencrypted email addresses; i.e. they are all hashed and any lookups go against the hash, not the actual email address.
