If you had to guess, how many companies would you say have enough of your personal data stored in various databases to make even a rookie crook ready for prime-time conning?

Ten perhaps? What about 50, 100 or 1,000?

You probably don't know the answer, and that is exactly the problem.

In the past six months, the personal data of millions of consumers have been lost, stolen or sold to identity thieves. The most recent case involved a financial unit of Citigroup Inc. CitiFinancial, which provides a wide variety of consumer loan products, disclosed that personal information (Social Security numbers, loan account data and addresses) of 3.9 million of its customers was lost by UPS in transit to a credit bureau. So far, CitiFinancial said, it had no reason to believe that the information has been used inappropriately.

So far.

Every time we hear of one of these cases, the companies involved tell their customers not to worry. Trust us, they say. They pledge to enhance their security procedures.

The promises don't make me feel any safer about my personal data. How about you?

It's time for the federal government and the states to step in and make sure the companies fulfill those promises.

There have been some efforts to protect people's financial information. On June 1, a federal rule took effect that requires businesses and individuals to destroy sensitive information derived from consumer credit reports.

I was initially encouraged when I heard about this rule. It seems to cover all the bases -- individuals and both large and small organizations that use consumer reports, including consumer reporting companies, lenders, insurers, employers, landlords, government agencies, mortgage brokers, car dealers, attorneys, private investigators, debt collectors and people who pull consumer reports on prospective home employees, such as nannies or contractors.

There's just one little problem with this "disposal rule." There is no standard for how the documents have to be destroyed. Here's the direction the Federal Trade Commission is giving to businesses and individuals: "The proper disposal of information derived from a consumer report is flexible, and allows the organizations and individuals covered by the rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology."

How strong is a standard if it has no standard? Basically, those who have our information get to decide how and when it is to be destroyed.

"The burden is completely on the consumer to protect what is important," said Evan Hendricks, editor and publisher of Privacy Times newsletter.

Oh, well, maybe we can turn to Congress for help in protecting our data. Several legislators have proposed or are working on bills to protect personal data. For example, Sen. Dianne Feinstein (D-Calif.) has introduced legislation that would require companies to notify their customers in writing or by e-mail if they could be a victim of identity theft because their data was compromised.

Sen. Charles E. Schumer (D-N.Y.) and Sen. Bill Nelson (D-Fla.) have co-sponsored legislation that would limit the sale or transfer of sensitive personal information. It would also restrict the use of Social Security numbers.

I certainly applaud all these efforts. But they are just that -- efforts. Until Congress sees fit to pass tough laws outlawing the collection of our Social Security numbers, at the very least, I plan on becoming as obnoxious as I can about protecting my data. You want my personal financial information? Well, you better have a good reason to ask for it.

For instance, I recently contracted to have an alarm system installed in my home. As I was filling out the sales agreement, I noticed a request for my Social Security number. I refused to divulge it. The salesman said it was a requirement. He said I "had to" give it to him.

I unequivocally refused to divulge my number. A manager of the company called. He explained that the company needed it to pull my credit score because we were signing up for a three-year monitoring service. He said it had been the firm's experience that people with low credit scores often break the three-year contract.

Even if that was the case, I was appalled at the lack of security about my data from this security company. By my rough estimate, from the time the salesman took my service agreement to his office, my data could have been exposed to at least half a dozen of the company's employees. In several of the recent data breaches, it was employees who were doing the pilfering.

I was prepared to leave my home unprotected for the time being in the name of protecting my personal data.

Ah, but here's where it pays to be persistently arrogant about protecting your data.

The manager came up with a way to get my Social Security number without my actually giving it to anyone at the company. In a three-way conference call, he phoned the credit bureau and when the system asked for the customer's Social Security number, I punched it in. All he heard on his end was the beeping sound. In a few seconds he got my credit score without having to know my Social Security number.

So, folks, it's up to us. We have to become our own data protectors. You may not win the battle all the time, but if you're fierce enough you can reduce the number of companies that "have to" have your information.

Penny Pincher Contest

It's time for my Penny Pincher of the Year contest. All you have to do is nominate someone with an original penny-pinching strategy -- a friend, a relative, even yourself. Edited versions of entries may be published. Only e-mail entries will be accepted. Send your entries by June 20 to colorofmoney@washpost.com. Please put "2005 Penny Pincher of the Year Contest" in the subject line. Include your address and daytime and evening phone numbers.

Michelle Singletary discusses personal finance Tuesdays on NPR's "Day to Day" program and online at www.npr.org. Readers can write to her at The Washington Post, 1150 15th St. NW, Washington, D.C. 20071 or send e-mail to singletarym@washpost.com. Comments and questions are welcome, but because of the volume of mail, personal responses are not always possible. Please also note that comments or questions may be used in a future column, with the writer's name, unless a specific request to do otherwise is indicated.