VPN for lawyers: ABA Rule 477R and encryption

The American Bar Association's Formal Opinion 477R (issued 2017, an update to Opinion 99-413) requires lawyers to take "reasonable efforts" to protect electronic client communications from unauthorised access. The opinion specifically calls out encryption as one of the reasonable efforts a lawyer may need to use depending on the sensitivity of the communication and the channel.

A VPN is one piece of that. It is not the whole picture, and most "VPN for lawyers" content overstates what a VPN actually provides. This is the practical version: what 477R requires, where a VPN fits, and what it does not cover.

We are not lawyers. This is not legal advice. We are a VPN company writing about how our product fits into a compliance posture you should validate with someone who actually practices in your jurisdiction.

What 477R actually says

The opinion's core requirement: when a lawyer transmits electronic client communications, the lawyer must "make reasonable efforts to protect the client's confidential information." What counts as reasonable depends on:

• The sensitivity of the information
• The likelihood of disclosure absent additional safeguards
• The cost of additional safeguards
• The difficulty of implementing additional safeguards
• The extent to which additional safeguards would interfere with the lawyer's ability to practice law

The opinion specifically notes that "particularly strong protective measures, like encryption, are required" for highly sensitive information. It does not mandate any specific technology; it mandates a process of evaluating risk and implementing proportional safeguards.

What this means for VPN use: encryption in transit is explicitly listed as a safeguard a lawyer may need. A VPN provides encryption in transit. For lawyers working from public Wi-Fi, hotel networks, or any untrusted network, a VPN is a reasonable safeguard. For lawyers working from a private home network with WPA3 encryption and no third-party access, the case is weaker, though still defensible.

Where a VPN actually helps

Three concrete scenarios where 477R's "reasonable efforts" pretty clearly include VPN use:

1. Public Wi-Fi. Coffee shops, airports, hotels, conferences. A lawyer accessing client communications, court filings, or document management systems over public Wi-Fi without a VPN leaves traffic readable to anyone running a network sniffer on the same access point. The historical record of evil-twin and rogue-AP attacks at legal conferences is real (lawyers are a high-value target for opposing-counsel intelligence). A VPN encrypts the traffic between your device and the VPN provider; the public-Wi-Fi access point sees only encrypted traffic.

2. Hotel networks during litigation travel. Hotel networks see your traffic. Hotel staff see your traffic. Hotel ISPs see your traffic. Some hotels have been documented injecting ads into HTTP traffic, which means they have the technical capacity to inject other things. For a lawyer travelling to opposing-counsel territory or to a forum-relevant location, a VPN limits the network-layer exposure.

3. Cross-border practice. Lawyers practicing across jurisdictions sometimes need to access US-based document management or filing systems from outside the US. The transit network (foreign ISPs, sometimes hostile carriers) is variable. A VPN provides consistent encryption and IP-level routing through a known endpoint.

In all three cases, the VPN is doing one specific thing: encrypting transit. It is not making your endpoint more secure, not protecting against malware, not preventing client-side mistakes. Those need their own measures.

What a VPN does not cover

477R requires "reasonable efforts" — plural. A VPN is one effort. A complete posture needs more:

Endpoint security. If your laptop is compromised (keylogger, screen-recorder, malicious browser extension), the VPN encrypts your traffic in transit but the attacker is reading your keystrokes before encryption. Endpoint security (current OS, current antivirus, current browser, conservative software install policies) is its own layer.

Encryption at rest. Documents stored on your laptop or in cloud document management need their own encryption. The VPN does not encrypt files on disk.

Authentication discipline. Strong passwords. Two-factor authentication on email, document management, court-filing systems. A VPN does not replace 2FA.

Backup and recovery. Confidentiality has a flip side: availability. Backups, version history, recovery plans. A VPN is irrelevant to this.

Email encryption. End-to-end encrypted email (PGP, S/MIME for clients with that capacity) is needed for highly sensitive communications. A VPN encrypts your email-app-to-mail-server connection but does not encrypt the email content end-to-end; recipients on different infrastructure see the email in whatever encryption their server applies.

Document management compliance. If you use Clio, MyCase, Filevine, or another legal-specific document management platform, that platform has its own compliance posture. The VPN is upstream of it.

Metadata in documents. Word and PDF metadata can leak information (track changes, author names, prior content). A VPN does not address this.

Physical security. Locked devices. Screen privacy filters. Awareness of who is sitting next to you on the train.

A "reasonable efforts" posture under 477R looks like all of these layered together, with the VPN as one of them.

Where Fexyn fits, honestly

Fexyn is a privacy and security VPN with strong protocol options and a kill switch that works at the kernel level on Windows (we use Windows Filtering Platform filters that block traffic when the VPN connection drops, not just application-level disconnect handlers). For lawyers, that kill switch matters: a lawyer working on a privileged document who experiences a VPN drop should not have the next 30 seconds of traffic exit unencrypted while the VPN reconnects.

What we do well for this use case:

• WireGuard for fast, low-overhead encryption when working from typical networks
• VLESS Reality with the Vision flow when you are travelling somewhere with active VPN filtering (China, Russia, Iran, UAE; places where lawyers occasionally do work)
• WFP-based kill switch with boot-time persistence
• Crypto-only billing as an option for lawyers who want to keep their VPN payment off their primary card record (rarely needed; available)
• No-logs operation (we do not log browsing history, DNS queries, or traffic content)

Where we do not pretend to cover everything:

• We do not provide endpoint security
• We do not provide email encryption
• We do not provide document management
• We are a Wyoming-domiciled US company in a Five Eyes jurisdiction; for the most sensitive matters where jurisdictional concerns are paramount, ProtonVPN (Switzerland) or Mullvad (Sweden) may be a better fit
• We have not yet completed a third-party no-logs audit (planned for 2026); for lawyers who require third-party validation as part of their compliance posture, that gap matters today

The 477R audit checklist

A practical checklist for solo and small-firm lawyers wanting to validate their posture against 477R:

1. Inventory your high-sensitivity communications. Which clients have what kind of confidential information? Which channels do you use to communicate?
2. For each channel, assess transit risk. Is the traffic going over your private home network only? Public Wi-Fi sometimes? Cellular? Hotel networks during travel?
3. For high-sensitivity communications over any non-private network, encrypt in transit. A VPN is the standard tool. Validate that the VPN actually works as expected (kill switch tested, no DNS leaks).
4. Layer endpoint security. Current OS, AV, conservative install policy. Disk encryption (FileVault on Mac, BitLocker on Windows, LUKS on Linux).
5. Layer authentication. Strong unique passwords (password manager). 2FA on email, document management, court filing.
6. Layer document confidentiality. Document management with role-based access. Versioned backups.
7. Document the policy. Written WISP-style policy that you follow consistently. Update annually or when material changes happen.

Fexyn covers item 3. Items 1, 2, and 4-7 are out of our scope and need their own attention.

Frequently asked

Does ABA 477R require a VPN?

It does not require a specific technology. It requires "reasonable efforts" to protect electronic communications proportional to sensitivity. For high-sensitivity communications transmitted over public or untrusted networks, encryption in transit is one of those reasonable efforts; a VPN is the standard way to provide it.

Is Fexyn HIPAA-compliant or 477R-compliant?

Neither claim is meaningful. HIPAA does not certify products; covered entities implement safeguards. ABA opinions do not certify products; lawyers implement reasonable efforts. Fexyn provides encryption in transit, a kill switch, and no-logs operation; whether your specific use of Fexyn satisfies your specific compliance obligations is a question for you and your compliance reviewer.

Should I use a "lawyer-specific" VPN?

A "lawyer-specific" VPN is a marketing label. The technical requirements for VPN use under 477R are the same as for any other privacy-sensitive professional use. Strong protocol, working kill switch, no-logs, reasonable jurisdiction. Most reputable VPNs meet these requirements; the marketing label adds nothing technical.

What about email — does a VPN encrypt my email?

A VPN encrypts the connection between your device and the VPN provider. From the VPN provider onwards, your email is in whatever encryption your email server applies. Most modern email is TLS-encrypted in transit between mail servers, but not end-to-end encrypted (the providers themselves can read it). For end-to-end encrypted email, you need PGP or S/MIME, separate from a VPN.

Can I deduct Fexyn as a business expense?

Probably yes, for solo and small-firm lawyers. Talk to your accountant. We are not tax advisors.

What about firm-wide deployment?

We do not currently offer a dedicated business tier with centralised provisioning, single sign-on, or compliance reporting. For firms wanting that level of administrative control, NordLayer or Perimeter81 are better fits today. Fexyn is appropriate for solo lawyers and small firms (under ~10 attorneys) who manage their own setup.

---

Try Fexyn free for 7 days. No card required for the trial. The How to choose a VPN guide covers the broader buying decision; Kill switch explained covers the specific kernel-level kill-switch implementation.

Last reviewed 2026-05-09. Not legal advice; talk to a compliance reviewer for your specific situation.