Re: The naughty ones
I'm surprised the security department didn't red-flag a developing department sending accounting data (the .csv files). Heck, I'm surprised the .csv files weren't themselves flagged as suspect for being .csv files. After all, confidental financial data could've been on them and all...
As for the stego, that can be made very difficult with a sufficiently-sophisticated sanitizer. Text can have whitespace trimmed, specific formatting enforced, and secret misspellings corrected. Graphics can be altered, flattened, and stripped of extra tags. Other formats, even programs, can be inspected by knowing how they're formatted, reducing the odds of hiding something there. Other formats can be restricted as too risky or too big.
As for the code phrase system, two things you have to negotiate first. First, you actually have to meet, which runs you the risk of meeting a mole (there have been recent stories of terror plots foiled because one party was a mole). Second, such a system has a limited vocabulary, so if you decide it's neither the Queen or the Prime Minister but rather one specific minister from such-and-such at a specific place and time, you lack the means to convey something that specific.