Under the CFAA, the burden isn't on the service provider to block access. They can be as incompetent as they'd like. It's up to the person accessing the service to not exceed their access rights - and in this case he had no access rights.
Simply put, the guy that bought the cameras acquired access rights to the view the camera stream through the cloud service with his purchase. When he returned them, those rights expired. By logging back into the service and viewing the stream from cameras he knew he had returned, he exceeded his access rights.
I really think we need to get them to make a more sensible definition of 'unauthorized access'. I've posted a few times before about how I think we should have defined it -
Simply put, the guy that bought the cameras acquired access rights to the view the camera stream through the cloud service with his purchase. When he returned them, those rights expired. By logging back into the service and viewing the stream from cameras he knew he had returned, he exceeded his access rights.