Dro: it's something I've said before, but it bears repeating: most of these leaks (and indeed, most cyber crime in general) is caused not by extremely clever hackers, but by incredibly inexcusably poor security practices. (the OPM breach is a particularly egregious example by an agency that really should have known better) These are for the most part things that *could* have been rather easily mitigated but weren't.
But yeah, the part about storing things like SSNs, credit card numbers, medical information, or other PII, or even passwords plaintext (which is something I happen to know a certain large financial services company does) is completely absurd. IMO we need to see legislation that actually illegalizes stuff like that.
There are some things that there is *no* legitimate reason to ever store unhashed - passwords, security questions, SSNs (when used only for identification purposes), any other forms of authentication, and anything else that there is no reason to ever retrieve. (hashing being theoretically non-reversible)
Credit card numbers could probably fall under this too - I would rather have an online store authenticate my credit card information with a SHA-256 hash of my CC# (with the understanding that the agency would only accept that hash from approved vendors) and never store my CC# anywhere at all. That way, even if you manage to get a hash of my CC, it's for the most part functionally useless to you. (Rainbow tables, etc. aside, I mean, "it would take more money and time to get it than it's probably worth")
Everything else PII/PMI related - but might need to be retrieved - should be encrypted and stored in a manner that requires two-factor authentication to access. If it doesn't need to be readily accessed online, then it shouldn't be stored on a computer with an internet connection. If it only needs to be shared with certain agencies, then you should do so via a GRE tunnel with an implicit deny on all non-whitelisted devices and ports.
These aren't hard changes to make. Most existing infrastructure already supports it. It just needs to be passed into law with severe penalties for companies/organizations who are non-compliant, and with regular "cyber security inspections."