Send a contract to opposing counsel without waiving privilege

You're three days into negotiating a master services agreement with opposing counsel. They've asked for redlines on the indemnification section. You email a Word doc — and the moment it lands in their inbox, it's been copied to their document management system, indexed by their litigation hold software, and potentially shared with co-counsel you've never been introduced to. If this deal goes sideways and ends up in front of a judge, the privilege argument you'd make about that draft just got harder.

ABA Formal Opinion 477R is the operative guidance here: lawyers must use "reasonable efforts" to prevent unauthorized access to client information when communicating electronically. It's deliberately not prescriptive — the standard scales with sensitivity, and it leaves the "what counts as reasonable" question to your judgment. But there's a thread that runs through every privilege-survival case in the last decade: chain of custody, identity-bound delivery, and a defensible disposal record. If you can show all three, you've got a story. If you can't, you've got a problem.

The privilege question isn't theoretical

Privilege challenges on transmitted documents come up in three predictable scenarios, and they all share a structural weakness: the sending firm can prove what they sent, but can't prove who received it, when it was opened, by whom, or whether it still exists.

• Inadvertent disclosure disputes. Opposing counsel claims the document was sent to a wider audience than intended. Without delivery telemetry tied to a specific recipient identity, you're arguing on email logs and good faith.
• Discovery scope motions. A document produced in one matter surfaces in another. The chain of custody from the original sender to the new recipient is the load-bearing question — and most firms can't reconstruct it past "we emailed it."
• Breach disclosure obligations. A vendor or co-counsel firm gets breached. You need to determine, six months later, exactly which documents went to which people and whether copies still exist anywhere. Email plus shared drives is not a good answer to that question.

The common failure mode is the same in all three: the firm treated transmission as a one-time event instead of a relationship with a half-life. Once the document leaves your outbox, you've lost the ability to answer the questions a court or bar counsel is going to ask.

"We sent the redline" is an assertion. "We sent the redline at 14:03 to a verified email address, it was opened once at 14:21 from a New York IP, the copy expired at 18:00 the same day, and here's the signed receipt" is a record.

What "reasonable safeguards" actually look like

ABA 477R lists factors lawyers should weigh: the sensitivity of the information, the cost of additional safeguards, the difficulty of implementing them, and the effect on the client's representation. The opinion doesn't mandate encryption — it mandates judgment. But the same opinion makes clear that for "particularly sensitive" matters, ordinary email may not clear the bar.

What does clear it, in practice, breaks down into three pieces:

1. Pre-transmission protection. The document needs to be encrypted before it crosses the network, and the key needs to live somewhere the transmission channel can't reach. If your encryption is "the file got delivered over TLS to a Gmail inbox," you've protected the transport but the document is now sitting in plaintext on someone else's server, indexed by their search engine, backed up nightly to who-knows-where.
2. Identity-bound delivery. A link that anyone with the URL can open is not a delivery — it's a publication. Real privilege survival requires that the recipient prove they are who you think they are before the document opens, and that proof gets recorded.
3. A disposal artifact. When the document is supposed to be destroyed — after a certain time, after a certain number of views, after the negotiation closes — there needs to be a record that proves it actually was. Not "we hit delete," but a cryptographically signed receipt (CIPH4 Enterprise) that anchors to a tamper-evident log; on Teams, the chain itself shows the destruction event but doesn't ship a portable signed artifact alongside.

The legal industry overview walks through how these three pieces map to specific practice areas (M&A, litigation discovery, employment investigations), but the structural shape is the same regardless of matter type.

Chain of custody starts before the send

Most firms think about chain of custody as a discovery-phase concept — what happened to the document after it became evidence. For privilege purposes, you need to think about it earlier: what's the unbroken record of who touched the document from the moment your client gave it to you to the moment it expires from opposing counsel's reach?

The pieces you want in that record:

• Origination. Who at your firm created the share? Bar number, paralegal supervision chain if applicable.
• Recipient verification. Did opposing counsel's email address actually receive the link, or did the firm's gateway swallow it? Did the human you intended actually click? An identity-bound link can answer both questions; a regular email attachment can't.
• Access events. When was it opened, from what IP geography, how many times. Not because IP geo is dispositive, but because if a New York firm sees their San Francisco co-counsel's IP on the access log, that's a signal about who's actually reading the document.
• Termination events. When did the share burn? Did the recipient hit the view cap, the download cap, or the time expiry? Or did your firm revoke it on purpose?
• The signed proof. A receipt that ties the destruction event to the audit chain, signed by the platform's private key, verifiable by anyone with the public key.

That last piece is the part most firms haven't internalized yet. A log entry that says "deleted" is a log entry; anyone can write a log entry. A receipt that's signed by a key the platform doesn't have access to after issuance, anchored to a hash-chained audit row whose integrity can be verified against the public receipt verifier, is something a litigation expert can stand behind.

Identity-bound delivery, not link-bound delivery

The default email-a-link workflow has a structural weakness: anyone who gets the link can open it. If opposing counsel's paralegal forwards it to a contract reviewer at a third firm, that's a privilege event you don't know happened.

The fix is recipient identity binding. Before the document opens, the recipient receives a one-time verification at the email address you specified. They click through, the platform issues an identity-bound token, and from that point on the document is tied to that specific recipient session. If they forward the link, the next person hits a verification gate of their own — and your audit log shows the new verification event, not just a second view.

This matters for three concrete reasons:

1. The privilege argument has a witness. If opposing counsel later argues the document went somewhere it shouldn't have, you can point to the verification events. Either the new viewer verified (in which case there's a record of who they are), or they didn't (in which case the document didn't open).
2. The firm's outbound risk is bounded. If the recipient's email account is later compromised, the attacker can't replay the link — verification is tied to a session that long since expired.
3. The discovery story has a beginning. When you're drafting a privilege log, "sent to opposing counsel, verified by [counsel name] at [time]" is a much stronger entry than "emailed."

The security architecture overview goes deeper on how the verification token works and why it doesn't live on the server after issuance, but the practitioner takeaway is simpler: link-based delivery is publication; identity-bound delivery is delivery.

The disposal artifact is the part most firms skip

Here's the scenario every law firm partner should run through their head: opposing counsel calls in eighteen months and says "we need to confirm the draft redline from April 2026 was destroyed." What do you have?

If the answer is "we sent it through our document management system, it expired after seven days, and we have an internal log entry," that's not nothing. But it's not much. The DMS log is your own record, written by software your firm controls. A bar counsel investigation or a discovery dispute is going to ask whether you can prove the destruction independently — and the honest answer with most current tooling is "we'd have to take our word for it."

The shape of an answer that holds up is a signed Proof-of-Deletion Receipt (CIPH4 Enterprise). The mechanics:

• When the share burns (view cap, time expiry, or explicit revoke), the platform writes a row to a hash-chained audit log. Each row's integrity is bound to the previous row's hash, so modifying any historical entry would break the chain forward of that point.
• The platform then issues a receipt that names the document hash, the destruction event, the timestamp, and the audit chain anchor. The receipt is signed with a key whose public half lives on the verifier endpoint.
• The receipt can be verified by anyone — opposing counsel, a court, a bar investigator — without involving your firm or the platform vendor. The math either checks or it doesn't.

This is structurally different from "we deleted it and here's our log." It's a third-party-verifiable claim, and that's what makes it useful for the privilege fight.

A concrete workflow for the next contract you send

Walking through what this looks like for a partner at a 200-attorney firm sending a draft to opposing counsel:

1. Create the share. Upload the document. Set the recipient email — specifically, the individual attorney's email at the opposing firm, not a generic intake address. Set the expiry to match the negotiation window (typically 48-72 hours for a redline turn).
2. Set the access cap. For most redlines, view cap of 3 is reasonable: opposing counsel opens, reviews, maybe re-checks one section. Download cap of 1 if you want them to commit a local copy to their own workflow. These are deliberate friction points — not to be hostile, but to bound the surface.
3. Enable identity verification. This is the load-bearing step. The recipient gets the link, then has to verify their email before the document opens. The verification creates the first audit row.
4. Send. The link goes to opposing counsel via your normal email channel. The document doesn't — only a link to a verification gate.
5. Monitor. During the active window, you can see verification events and access events on your dashboard. If you don't see a verification within 24 hours, you call opposing counsel — because the document hasn't opened, period.
6. Closeout. When the share burns — whether by hitting the view cap, the time expiry, or you explicitly revoke after the redline returns — the deletion receipt issues automatically. You attach it to your matter file.

If the negotiation goes sideways twelve months later and privilege becomes an issue, you don't have to reconstruct what happened. The audit chain reconstructs it. The receipt verifies independently. The identity verification events tell you who actually saw what.

What to do next

Privilege survival isn't about choosing the most paranoid tool — it's about choosing a tool that produces evidence you can stand on when the question comes up later. The law firm workflow page walks through specific matter-type configurations (M&A data rooms, employment investigations, litigation discovery handoffs), and any partner can run a single contract through the workflow above to see whether the audit trail it produces matches what their firm's risk committee would want to see in a privilege fight. The right time to test that is before you need it.