'So if the US had enacted a European Data Protection law, the hacked organisations could have been vulnerable to enforcement action if their website security was at a level that left personal data vulnerable to hacking attacks. That does not negate the fact that Mr Love committed a hacking offence, but clearly if website security was weak, then this allowed Mr Love’s attacks to succeed.'
That has nothing to do with the case. By analogy if I leave my door open and you pop in and steal something, you are still guilty of theft. I was dumb in leaving the door open, but you still chose to thieve.