[meowface]

I think it depends on exactly what he did here. I don't know the details of the case.

If he simply ran the Heartbleed script for an hour or 2 and did literally nothing else after it finished running, then yes, your analogy is the correct one and mine is wrong. In that case he should probably only be liable for the money spent by the agency in investigating the attack.

If he scraped out the SSL private key from the results, that's clearly worse.

If he additionally scraped out everything that fit the format of an insurance number, then it's quite a bit worse.

If he planned on publicizing or personally using any of these, then it's far worse.

I would also argue that it's less like a window being left open, but rather a door located around the back of the building where no one goes accidentally being left unlocked.

[mindslight]

What he achieved should only be relevant in how it demonstrates intent. Deducing the SSL key could be done as a proof-of-concept, and should only matter if it can be used to show that he was planning on impersonating the site in furtherance of some other crime.

I do concede that the proper analogy isn't something so plainly visible to all as an open window, but it does have to incorporate an external motivating factor to try the door (perhaps a rumor floating around town that they tend to leave it unlocked and oh boy you wouldn't believe what's on the other side..)