[rst]

Even the Massachusetts data privacy laws (which are more comprehensive than most that apply in the U.S.'s crazy quilt of overlapping jurisdictions) fall short of requiring password encryption. The closest I can find in the summary of requirements (on page 4) is that anyone who stores information about a resident of the Commonwealth is required to use "a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices"; there's no specific method of hashing or encryption, and no guide about what's "reasonable".

There's also a requirement to encrypt data in transit over insecure networks, or when stored on portable devices, including laptops, but that doesn't seem to apply to main servers wired into racks.

(As to whether these apply to you, well... IANAL; the law claims to apply to anyone who's storing data about Massachusetts residents, but I don't know how well that actually sticks to people who are physically located elsewhere.)

Official summary of the requirements:

http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf