[pnt12]

I concede that intent matters.

Maybe a better analogy is a bank with open lockers and no vigilance: if someone enters and steals money, the police will look for them, because "the coffers were open" is not a valid defense. But customers will also demand answers from the bank - why were they so negligent and incompetent that someone can just enter and get their money?

We should hold similar values for digital systems.

Was the author's intent on stealing private data and causing harm? Did he gain from this abuse? Did the company take enough measures to safeguard their data?

Companies have been mostly not held responsible for their fuck ups, and no matter the law, that's wrong to me.