Data protection laws in the US

Imagine there is a company that is headquartered out of the US. They have a desktop CRM type system and the database is encrypted to make access difficult, which they could argue it a valid security measure. However, if the user of the software no longer wishes to use the software and asks to be given a dump in CSV, Excel or similar the company refuses. They could have years of important business information and if they don’t pay the ongoing fee this would be lost.

Has anyone dealt with this and have any ideas what can be done to force them to allow exporting of the information?