"They looked for the password on the CD . . ."
Dear God. Look, I understand that it was a Friday evening but come on, if you send a password-protected file and the password in the same package, it really totally defeats the purpose of the password.
The last time I had to send protected data I arranged with the recipient to send said data via email, and the password via SMS. Might not be a perfect solution, but it fits the purpose. I'm sure most people would do the same.
Of course, the password I chose was a tad more complex - which means that, had the data been sent by me, this story would have ended quite differently.