I would actively insist not storing PII in plain text unless there was absolutely no way around it. And it may involve changing the business model to enforce that certain data is not needed to be actively processed by the web application in the ordinary course of business. This is part of the security pushback phase that is essential that more developers adopt as a matter of professional ethics.