(MONEY Magazine) – More than 9 million of us a year are victims of identity theft, which topped the Federal Trade Commission's list of consumer complaints in 2004 for the fifth year in a row. Despite recent legislation providing tougher safeguards against this crime, the bad guys still seem to be winning. ChoicePoint, a data provider, is just one of several large companies and universities that recently revealed that the personal files they keep on individuals had been stolen or illegally accessed, collectively affecting hundreds of thousands. For privacy expert Beth Givens, director of the nonprofit Privacy Rights Clearinghouse (privacyrights.org), the effort to stem the epidemic has become a crusade. Having pretty much written the book on the subject--she penned the ID-theft entry for the 2004 World Book Encyclopedia--Givens recently shared her tips about how consumers can best protect themselves.

Q. Short of crawling under a rock, how do you safeguard yourself from ID theft? A. Even a rock won't solve the problem. You can become a victim in ways you have no control over. Just look at the ChoicePoint situation: This was a business that unwittingly sold personal data on consumers to thieves. There is no way for ordinary individuals to safeguard themselves against that. All you can do is make sure you protect what you can control as best as you can, then constantly monitor your financial records to make sure thieves haven't gotten hold of the data that's out of your hands.

Q. Okay, let's start with what we should do about the stuff that's in our control. A. Think low-tech. Clean out any identifying information that you don't need from your wallet. Stolen wallets and purses are one of the primary ways that thieves get access to your personal information. [See "The Art of the Steal," page 48B.] That means you shouldn't carry any credit cards that you don't really need, and you should get rid of any ID that lists your Social Security number.

Q. But what if your health insurance card or some other piece of ID that you need has your Social Security number on it? A. Make a photocopy of the card, then black out all but the last four digits of your Social Security number and carry that paper version in your wallet. Keep the original at home. Your Social Security number is the most valuable piece of information an identity thief can get, so carrying it with you is asking for trouble.

Q. Does that mean you also shouldn't give out your Social Security number to service providers who ask for it? A. You should always question anyone who asks for your Social Security number. If the cable company, phone company or some other service provider asks for it to run a credit check, you can just request that they use another form of identification, such as your driver's license.

Q. What's the biggest mistake consumers make in terms of protecting themselves? A. A lot of people focus on Internet safety--maybe putting up a firewall or buying something online only over a secure site. But they neglect the basics offline, like simply protecting their mail better. Just think about all the mail you get with account information on it, plus all the unsolicited mail with personal details. If a thief intercepts that mail, you're in big trouble. So get a locked mailbox. Buy a crosscut shredder, and shred every piece of paper with personal information on it before you throw it away. Call 888-5-OPTOUT to get off the mailing lists for credit-card offers. And convert what bills you can to online bill pay because the odds of online theft are a lot lower than the odds of offline theft.

Q. A recent survey found that half of ID thieves turn out to be friends or family of the victim. How concerned should we be? A. This may not be nearly as big a problem as it has been made out to be. The study found that half of ID thefts involved family and friends only in cases where the victim knew who did it. But the thief is known in only 26% of all cases, so the actual incidence of theft by someone known to the victim may be much smaller.

Q. Are there any new steps consumers should be taking in the wake of ChoicePoint and similar recent incidents? A. One precaution is to check in with every business that you have an account with and ask to "opt out" of having your information sold to other businesses. They'll still be legally allowed to share your data with their business affiliates, but at least you will stop them from selling your data to outside companies.

Q. Yet even if I do all that, I'm still at risk. A. That's right because, again, so much of this is beyond your control. That's why you need to constantly monitor your records to make sure no one has hacked into your existing accounts or, worse, opened an account in your name that you have no clue about. Look for any suspicious activity that would signal an ID thief has gained access to your account.

Q. An estimated 20% to 30% of cases involve new accounts opened in the victim's name rather than use of an existing account. Your advice? A. Take advantage of a new federal regulation that helps you police your accounts by getting one free credit report a year from the three credit bureaus--Equifax, Experian and TransUnion. The law is being phased in now, and by Sept. 1 everyone will be eligible. [Get more information at annualcreditreport.com.] You can create your own free ongoing monitoring system by getting one report every four months--say, Experian today, Equifax four months from now and TransUnion four months after that. I don't think you should have to pay credit bureaus to do what should be a basic part of their business: protecting you.

Q. What if you're already a victim? A. File a police report and put a fraud alert on your account, which requires that you be contacted before any new credit is opened in your name. Once you place a fraud alert with one credit bureau, it must forward the request to the other bureaus. And you should extend the alert beyond the standard 90 days to seven years by writing to each credit bureau and including a copy of your police report.

Q. Do you think it's a good idea to buy identity-theft insurance? A. For most people, the biggest loss from ID theft is the time it takes to straighten out everything, not the financial loss, since you're generally not on the hook for a penny. But most policies cover only the money. They'll reimburse you for photocopying and other expenses and for lost income if you're self-employed or paid hourly. But they can't cover the hundreds of hours you spend calling, writing letters and pulling your hair out.

Q. So you'd advise against it? A. If a policy gives you peace of mind, I wouldn't argue too hard against it. And it can make sense if you can add it to your homeowners policy as an inexpensive rider, if you are self-employed or if you are paid by the hour. But I'd rather people realize that the real solution is prevention. Do the free stuff, like shredding your sensitive papers, checking your credit report and safeguarding your Social Security number, and you'll reduce your odds of being victimized.

Contrary to popular misconception, most identity thieves do not obtain personal information about their victims through spyware, "phishing" or other electronic means. Low-tech methods, such as stealing a wallet or pilfering receipts, are still used in the majority of instances in which the method of the crime is known.

NOTE: 19% were unclear about the method of the theft or were victimized in another way. SOURCE: Javelin Strategy & Research.