My colleagues can elaborate, but subject to anything we may learn in the investigation, it seems to us that given the requirement for encryption and the fact that the information transferred was not encrypted, it's pretty clear that the policy was not followed.
The policy was in place and the requirement was in place, but the indications we have are that the policy was not followed.