State AGs Argue That Federal Data Security Legislation Should Set Floor, Not Ceiling