[RickM]

Any manager that shoots down encrypting PII (Personally Identifiable Information) for the reason stated above should be fired.
The cost for securing data is sometimes very high. That's why many executives have such a cavalier attitute. But look at the alternatives. You'd think something this obvious would be handled properly. Most responsible corps use a storage facility that transports in a secure manner. For example we use Iron Mountain for offsite storage.

Regarding laws and industry standards;

Visa and other card companies have banded together and instituted security guidelines that CC processors or merchants must follow....it's called Payment Card Industry or PCI (formerly CISP) and the fines and resultant costs are potentially very high. Your level of compliance is determined by the volume of CC transactions one handles.

California also has a law that requires any breach to be reported to all potential "victims".

The laws and industry self governance are coming...just very slowly.