I suspect the police department used a document disposal company, and this company took advantage of an opportunity to supply some organization at the parade with paper and simply ignored the security requirements of their customers.
Given that the actual shredding job wasn't very good in the first place, the Nassa County Police should probably start looking for a new document disposal provider.
I don't know about police departments, but every big company I've ever worked at outsourced their shredding. Any sensitive documents went in the shred bin, which was periodically picked up by the shredding company. It makes no sense to me either.
I think the security level is different. I wouldn't use a shredding service to dispose of old checks or my social security card, but for things that don't matter to the real world like performance reviews or meeting notes, I think it's fine.
Everywhere I've worked, the bin has always been "secured" with a three-pin lock that can be picked with a paperclip. That's a good way of expressing how seriously document destruction is taken.
I know at an ex-employer of mine, we chose to use an outsourced shredding company mostly because of legal reasons. I'm not entirely sure how it worked, but since we were handling PHI (patient health information), we had certain rules we had to abide by, and were liable if this data got out. Apparently, the outsourced shredding company insured us against some of these liabilities. I imagine police departments have similar situations.
Why not? Lots of them will come to you, so the difference is owning and supporting the shredding machines or dropping the papers in the chute and seeing confetti spew out the other end, proof enough that it's doing what it's advertised. Some shredding companies have large incinerators too, another large, expensive piece of hardware that every single police department probably can't reasonably afford.
Could people who picked up pieces of confetti and stuck them together in order to decipher their contents be charged with a crime, similarly to how people have been prosecuted for "hacking" by retrieving information through trivial tinkering with public URLs?
If they were to actually exploit their possession of the information (eg. get credit in the person's name by piecing together confetti with name, DOB, and SSN), it would be a crime.
The tricky thing is that with hacking, the line between piecing together the vulnerability and exploiting it doesn't involve as much clearcut intent and harm.
The article said things were horizontally shredded so full text was visible in places. IANAL but I don't think you can be charged with seeing something that's as plain as day.
It goes back to really old case law as to "allowed" access to a computer system.
Basically if you see a url with /foo.html?user=1234 and you go, hmm lets switch the number to 1235 and see what happens. Basically that is outside of reasonable expectations to access a system. Or something like that, i'm not a lawyer but that is how I understand the case law works for now.
“Maximum Particle Dimensions: 75% of the shredded particles shall have no edge dimension exceeding 5 millimeters in length. The remaining particles may exhibit edge dimensions between 5 and 12.5 millimeters in length.”
Better yet, shred then take it to a recycling center where it is pulped immediately. Or shred it then burn it if you are cold/don't care about carbon emissions!
I don't know if the technology has improved since last I checked, but recycling shredded paper is a no-no. The fibers in the shredded paper are too short to make usable paper products from.
It doesn't matter how it's shredded; you still shouldn't be throwing paper that had someone's social security number on it (especially when that someone is a detective whose whole identity has now been revealed) off of a roof on national television.
In my experience, HIPPA does not provide any spec. It is akin to "did/do you have reasonable precautions for X?" so every organization is different, though many go to the extreme under HIPPA, because it providing documentation you had documentation, or documented you provided the document ad nauseam. It has little do do with how to mangle a document.
That said, HIPPA does have something: it persuades cynicism and paranoia. Two words which make cautious.
In large organizations that out-source their recycling/shredding there are typically two bins: a wide mouth "Paper Recycling" bin and a small mouthed "Secure Shredding" bin. I wouldn't be surprised if an office worker saw the two bins and decided against feeding a huge stack of documents 20-at-a-time into the secure bin instead dumped the whole stack into the non-secure bin.
I imagine they probably do have an official and audited document disposal process which complies with all relevant recommendations, but someone along the line simply ignored it.
What's most perplexing to me is how/why shreddings from a police department in a suburban police department came to be used, considering the relative size of the NYPD. Unless the floats and everything relating to the parade were prepared on the island.
I am surprised that there isn't some form of corn-starch-based confetti that would dissolve in the rain, used in these parades. It would be cheaper than paper due to corn subsidies.
Corn is in short supply and is currently being sold at record high prices. Subsidies have lead to cheap corn in the past, but corn hasn't been cheap for several years now.
Given that the actual shredding job wasn't very good in the first place, the Nassa County Police should probably start looking for a new document disposal provider.