COLUMBIA — One lawsuit already has been filed against South Carolina’s revenue department over a hacking scandal that could affect millions of tax returns, and more litigation is expected — but even if the plaintiffs win, they could get just pennies apiece.

The reason: State law limits the amount that public agencies can be ordered to pay for negligence.

Last week, Gov. Nikki Haley and other officials announced that roughly 3.6 million personal South Carolina income tax returns had been put in danger after an international hacking attack. State officials later said that up to 657,000 businesses were also compromised in what some experts have said may be the largest ever cyber-attack against a state tax department.

On Wednesday, attorney John Hawkins — a former Republican state senator — sued Haley and Department of Revenue director Jim Etter for negligence. Hawkins said the state should have taken more steps to protect taxpayers’ information and called the hacking of millions of personal records a class-five “cyber hurricane.”

Haley, who opposed Hawkins’ attempt this year to regain his Senate seat, has discounted the lawsuit.

Hawkins wants class-action status and says he hopes to represent all taxpayers whose Social Security numbers and credit card information were compromised. It will be up to a judge whether to grant that request, and Hawkins says his office has already fielded 100 calls from people interested in joining up.

Since the 1980s, however, South Carolina law has limited the liability of public agencies in negligence cases to $600,000 per occurrence. This means that if a judge considered the hacking to have been a single event and 3.6 million individuals sued the Department of Revenue and won, their maximum takeaway would be just $0.16 apiece.

Hawkins says he has a good legal argument that the cap shouldn’t apply in this case but wouldn’t go into details Thursday.

Ken Suggs, a Columbia attorney who heads up his firm’s business litigation division, said getting around the cap could be difficult unless a judge rules that the word “occurrence” didn’t mean the hack itself but instead applied it to the days on which the thief actually used the stolen information.

“You could argue that the `occurrence’ is misuse of the data,” Suggs said, adding that the issue would likely end up in appeals.

Legal language aside, legislators have tackled the cap before. Last year, after dozens were injured and a 6-year-old boy was killed in the crash of a children’s train ride operated by Spartanburg County, state lawmakers considered allowing local governments to choose whether to pay out claims more than $600,000. Families argued that they faced mounting bills and were unfairly limited by the cap, which is imposed regardless of how many people seek to recover.

That bill died in committee, but similar legislation could resurface when legislators reconvene in January.

“I believe that it is worth us at least taking a look at it,” said state Sen. Vincent Sheheen, an attorney and Camden Democrat who lost the governor’s race to Haley in 2010. “You have to balance the cost to the state as a whole and to the very real injuries that the state sometimes inflicts on other people.”

Sen. Larry Martin, chairman of the Judiciary Committee that would consider such legislation, said he viewed the lawsuit as premature.

“There are a lot of things about this case that we still just don’t know,” said Martin, R-Pickens. “All of us as taxpayers are responsible. Whatever hit this is to the state, we’re going to somehow bear the cost for it.”