The US National Security Agency (NSA) recently announced that it would delete all of the phone call and text records it has collected since 2015. Why? Because the organization had collected data that it wasn’t authorized to have, according to an official statement.

In the statement, the NSA refers to this data as call detail records (CDRs), which it had acquired under Title V of the Foreign Intelligence Surveillance Act (FISA). A few months ago, analysts at the NSA noticed “irregularities” in some of the telecommunications data it had received. These irregularities led to CDRs that the NSA wasn’t authorized to access, the statement said.

“Because it was infeasible to identify and isolate properly produced data, NSA concluded that it should not use any of the CDRs,” the statement said. “Consequently, NSA, in consultation with the Department of Justice and the Office of the Director of National Intelligence, decided that the appropriate course of action was to delete all CDRs.”

SEE: Data classification policy (Tech Pro Research)

While the root cause has been addressed, the NSA noted in its statement that it had alerted the Congressional Oversight Committees, the Privacy and Civil Liberties Oversight Board, and the Department of Justice, which notified the Foreign Intelligence Surveillance Court.

According to the statement, the records deletion began on May 23. As noted in a New York Times report, this data could comprise some hundreds of millions of records.

As data continues to drive business outcomes, this situation with the NSA should serve as a warning to companies that are increasingly working with such data–especially sensitive customer data. With new regulations like GDPR and the California Consumer Privacy Act going into effect, the consequences for data misuse can be severe.

The big takeaways for tech leaders:

  • The NSA announced that it will be deleting all of the phone call and text records it has collected since 2015, due to the presence of unauthorized records.
  • The NSA’s data deletion should serve as a warning to companies that work with personal customer data to stay strict about their collection policies to avoid compliance or regulatory issues.