IANAL, but I'm pretty sure if someone leaves a Top-Secret document on the ground, and you pick it up, you don't go to jail for that. The data is accessible to the public -- this isn't a hack, this is just downloading.
They don't have a special permission, but each case is treated individually - what exactly technically you did matters just a little, the intent (not claimed intent, but the intent that the judge/jury would imply), circumstances and what you do afterwards with the data matter much more.
I.e., if a respected company downloads the data, reviews what horrible things it has and reports it to proper authorities (and gets legal advice before that on how best do it), then they're very likely to be treated as not done anything bad;
If I'd do the same, contact them asking to fix the vulnerability "or else", and then download the data and publish an angry video rant on youtube, that might land me in trouble, as (expected) intent matters a lot for prosecuting crimes.
You could make the argument that since the information was not protected in any way that you were allowed to download it, but try explaining that to a 65 year old judge who doesn't even comprehend the basic structure of the internet.
Do security firms have special permission to do this? Because as a private citizen, I am pretty sure I would go to jail if I tried this.