Folks of a certain age, and fans of “Guardians of the Galaxy’s” Awesome Mix vol. 1, have a hard time forgetting that late ‘70s song by Rupert Holmes, “Escape” (“If you like piña coladas, getting caught in the rain….”). But for millions of subscribers to infidelity website AshleyMadison, there’s no easy escape from hackers’ public disclosure of subscribers’ personal information. In the ensuing schadenfreude-field-day, and amidst early reports of extortion attempts and even suicides, there’s an important lesson to remember. Whether or not a company’s business model is broken vows, broken promises in a privacy policy can have severe repercussions.

KrebsOnSecurity has reported that the AshleyMadison hackers “decided to publish the information in response to alleged lies ALM [Avid Life Media, the Toronto-based owner of AshleyMadison] told its customers about a service that allows members to completely erase their profile information for a $19 fee. According to the hackers, although the ‘full delete’ feature that Ashley Madison advertises promises ‘removal of site usage history and personally identifiable information from the site,’ users’ purchase details — including real name and address — aren’t actually scrubbed. ‘Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,’ the hacking group wrote. ‘Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.’”

Did the website operator break that promise? ALM denies it, and this will no doubt be sorted out in the inevitable eruption of litigation that already includes multimillion-dollar class action filings in Canadian and U.S. courts.

But the broader point is that privacy policy statements matter. While no one may actually read them up front, they become critical after the fact in a “when not if” world of data breaches. Sometimes one must look very closely to catch potential problems.  Other times, privacy policy statements spell doom from the get-go, such as when PetCo Animal Supplies’ privacy policy touted that “provides a ‘100% Safeguard Your Shopping Experience Guarantee’ so you never have to worry about the safety of your credit card information.”  Really?

So, avert your eyes from the AshleyMadison fiasco for a moment, and take a fresh look at your company’s privacy policy. Then ask yourself, are we actually doing what we say we’ll do, and actually not doing what we say we won’t? And what have we put in place to ensure compliance?