To the best of my knowledge, no current state or federal regulation specifically lists passport numbers as personally identifiable information (PII) for businesses. However, as part of FISMA (the Federal Information Security Management Act of 2002), which affects federal agencies (and, by various state laws, many state agencies as well), NIST has released a draft publication, SP800-122, which is the Guide to Protecting the Confidentiality of Personally Identifiable Information, which does specifically list passport numbers as PII.
Additionally, the Office of Management and Budget recently released the OMB M-07-16, which requires agencies to implement a breach notification process for the loss of personal information. For the purposed of M-07-16, OMB defined PII as such: "The term 'personally identifiable information' refers to information that can be used to distinguish or trace an individual's identity, such as their name, Social Security number, biometric records, etc. alone, or when combined with other personal or identifying information, which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."
It seems pretty clear that this would include passport numbers as well. The OMB memorandum also references the Privacy Act of 1974, which itself requires that the government maintain control over assorted PII, which should also include passport numbers.
For more information:
This was first published in December 2009